Dive Brief: 

• Underground criminal networks selling unauthorized access to compromised enterprise networks have emerged in recent years as a critical element in the evolution of ransomware and other criminal cyber activity, according to a whitepaper released Tuesday by IntSights, a recently acquired unit of Rapid7. The criminal middlemen provide remote access to an enterprise network, administrator credentials or access to other privileged accounts that allow unauthorized actors to access a compromised system.

• The sophisticated intermediaries often target technology and telecommunications firms and command higher prices in underground forums. They typically sell remote desktop protocol or VPN credentials, but do not disclose the initial access vector, according to the whitepaper. 

• Attackers that specialize in initial compromises may not have the skills, time or labor resources to monetize and exploit proceeds efficiently, IntSights found. Resources may be especially tight in ransomware attacks targeting operational technology, industrial control systems or supervisory control and data acquisition.

Dive Insight:

The criminal underground that feeds off malicious cyber activity includes a network of operators that target U.S. companies for ransomware attacks specialized into operational buckets, according to the report. 

"This division of labor enables them to devote themselves fully to what they are best at, and it strengthens the criminal ecosystem overall by allowing the people who are best at any given function to devote more of their time and resources to it," said Paul Prudhomme, threat intelligence advisor at Rapid7, via email. 

A criminal may be extremely adept at gaining network access in purely technical terms, but may not have the business acumen to monetize stolen data, according to Prudhomme.

IntSight conducted a quantitative and qualitative analysis of a sample of 46 different network access sales between September 2019 and May of 2021. The researchers analyzed topics ranging from international markets targeted by the threat actors to the methods of monetizing the proceeds. 

Thirty of the 46 (65%) network access sales analyzed by IntSight researchers were hosted on Russian-language forums, while 16 were on English-language forums. Russia has been associated with recent high-profile ransomware attacks, including the Colonial Pipeline attack, linked to the DarkSide organization, and the attacks on Kaseya and international meat supplier JBS, linked to REvil. 

Almost every network access offering, 40 of the 46, specified the location of the victims. Four in 10, or 15 of the 40 victims, were based in North America. Attackers preferred English-speaking victims in wealthy economies, as such a widely used business language makes the compromise easier, according to the research. 

On average, a network access sale costs $9,640, however the median price was $3,000. Very high prices among some of the most expensive access items caused the gap, researchers found. 

The whitepaper includes suggestions for best practices to prevent network access attacks in the future. Some of the suggested actions include the following:

• Require strong, unique and frequently changed passwords

• Implement two-factor authentication, particularly for RDP, VPN and other remote access services

• Use mobile authentication apps, rather than SMS for two-factor authentication

• Monitor credential dumps for email addresses from your organization’s domain

• Update VPN software to the latest security patches