Who are Initial Access Brokers

Initial access brokers can be both individuals or groups, part of a ransomware supply chain, who obtain access to mostly corporate networks and systems using a range of methods, including compromised credentials, vulnerability exploits, and brute-force attacks. These means of access are then advertised and offered for sale by access brokers, typically on criminal forums and marketplaces. In the last few years, ransomware-as-a-service groups have taken a particular interest in initial access brokers, in order to buy their way into victims’ networks and systems, and then deploy ransomware attacks or exfiltrate data. For this reason, the demand for the figure of initial access brokers continues to grow, as also shown by an increase in the number of listings offering initial access on the dark web in the past couple of years.

How do Initial Access Brokers operate? 

Similarly to the ransomware-as-a-service model that has gained popularity in the past few years, initial access brokers offer access-as-a-service, by providing threat actors with the means to access corporate networks for a set price. Initial access brokers typically sell or broker not only stolen credentials, but also   access, web shell access, panels access, VPN access, and access to Remote Monitoring and Management tools, among others. By offering these means of access for sale, access brokers allow attackers to avoid the time-consuming process of searching for exploitable vulnerabilities in a target organisation’s systems. The attackers can now purchase the initial access from access brokers, quickly enter the company’s system or network, and focus on moving laterally and escalating privileges, in order to find the most valuable data.

Initial Access listings and pricing 

Initial access brokers’ listings can be found on criminal forums and marketplaces, and have become so popular that many forums have created dedicated sections for them. In these listings, initial access brokers typically disclose the sector of the victim organisation, the annual revenue of the company, and the type of access. Most times the price is not publicly disclosed, and will only be revealed in private and direct messages with potential buyers. According to research, access brokers have listed access to organisations in over 30 different sectors, including technology, government and academic sectors. The listing for access to US companies are far superior to those for all other countries, with other affected countries being the UK, Brazil, France, Spain, and Germany. In the US and France, the listings target mainly the educational sector, while in Germany the most advertised are both the educational and manufacturing sectors. Regardless of being one of the most advertised sectors, educational targets are priced less than other sectors, with an average asking price of $3,827, compared to an average of $6,151 for the government sector. An important factor that influences the price of access is the country the company or organisation is based in, with targets in the US, UK and Canada attracting a higher asking price. As the price depends on a range of factors, including the annual revenue of the target organisation, the rate of these listings can range from $500 up to $100,000.

Prolific Initial Access Brokers: Exotic Lily and Wazawaka

One of the most prolific access brokers is Exotic Lily, a highly specialised group that finds vulnerabilities in the defence of organisations, exploits them, and then sells the access to interested buyers. The group, who is financially motivated, is said to work closely with the data exfiltration and ransomware campaign operations of the high-profile threat actors Conti and Diavol. According to experts, Exotic Lily initially mainly advertised access for targets in the IT, cybersecurity and healthcare sectors, but then became less specialised, focusing on targets in diverse sectors. The group appears to rely on social engineering tactics to gain initial access into organisations and companies, launching large-scale phishing campaigns. Exotic Lily has been observed sending up to 5,000 non-automated emails per day to over 650 organisations worldwide. It appears that the group’s activity follows a typical 9 to 5 business-like job, with low levels of activity on weekends. The group appears to be based in Central or Eastern Europe, based on the working hours.

Another prolific figure is that of Wazawaka, which is active mainly on Russian e-crime forums, and which initially started by selling tools to perform DDoS attacks. In recent years, Wazawaka has shifted its focus to selling access to organisations and companies, in addition to selling access to databases that have been stolen during cyberattacks on companies. In its posts, Wazawaka states it has done business with two of the most prolific ransomware groups of the past years, LockBit and DarkSide. The latter was responsible for the ransomware attack on the Colonial Pipeline in May 2021, which caused a week-long halting of operations.

Initial access brokers are important figures that sit at the beginning of the cybercrime chain. and specialise in providing a highly sought-after element necessary in criminal operations. Ransomware groups and threat actors rely on initial access brokers to gain quick access to companies and organisations, which will in turn allow them to focus on launching successful attacks, and on finding and compromising valuable data.

The specialisation into different roles in the cybercrime chain, such as in the role of initial access brokers, is a perfect demonstration of how the cybercrime world is shifting, becoming more sophisticated and akin to legitimate business-like models.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference List

• https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-access-broker-for-ransomware-and-other-malware-peddlers/
• https://www.crowdstrike.com/blog/access-brokers-targets-and-worth/
• https://www.darkreading.com/crowdstrike/tales-from-the-dark-web-fingerprinting-access-brokers-on-criminal-forums
• https://krebsonsecurity.com/2022/01/who-is-the-network-access-broker-wazawaka/
• https://www.packetlabs.net/posts/initial-access-brokers/
• https://www.trendmicro.com/vinfo/ie/security/news/cybercrime-and-digital-threats/investigating-the-emerging-access-as-a-service-market
• https://www.zdnet.com/article/ransomware-operators-love-them-key-trends-in-the-initial-access-broker-space/

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.