The initial access broker (IAB) economy is a booming market where cybercriminals sell or offer access to compromised networks and systems to other threat actors. This allows ransomware operators, data thieves, and other malicious actors to skip the time-consuming and risky process of finding and exploiting vulnerabilities themselves.
According to a report by cybersecurity firm KELA, the average cost of network access was $5,400, while the median price was $1,000. However, the prices vary depending on the size, revenue, and industry of the target organization. The most expensive initial access services were for an Australian company generating an annual revenue of $500 million for 12 Bitcoin (BTC), or roughly $478,000 — and access to an IT company in the United States, through ConnectWise, for 5 BTC ($200,000).
The report analyzed over a thousand listings in dark web underground forums from July 1, 2020, to June 30, 2021, and found that initial access ads included a range of network and compromised account-based offerings — such as remote access to a computer in an organization — as well as domain-level privilege account access and both RDP and VPN-based remote access. In total, 25% of the listings were posted by brokers.
The most common methods used by IABs to gain access to networks and systems are stolen credentials, brute-force attacks, or exploiting vulnerabilities. Some IABs also use information-stealing malware or phishing campaigns to harvest credentials or install backdoors. However, some IABs claim to have other approaches that are not disclosed publicly.
The most targeted industries by IABs are finance and retail, followed by construction and manufacturing. The majority of the victims are located in the U.S., Australia, and the UK. However, organizations in Russia and countries part of the Commonwealth of Independent States are avoided by IABs due to legal and ethical reasons. On the other hand, few attacks have been observed in China over the same period.
The IAB economy is a symbol of cybercrime professionalization and specialization. It enables ransomware operators and other threat actors to focus on their core competencies and outsource the initial access to IABs who have the technical skills and tools to find vulnerable targets. This reduces the risk and cost for both parties and increases the efficiency and profitability of cyberattacks.
However, the IAB economy also poses some challenges and risks for both buyers and sellers. For example, buyers need to verify the legitimacy and quality of the access offered by IABs before paying them. Sellers need to protect their identity and reputation from law enforcement and competitors. Moreover, some IABs may try to double-dip by selling the same access to multiple buyers or stealing data from the compromised networks themselves.
The IAB economy is expected to grow as cyberattacks become more sophisticated and lucrative. Therefore, organizations need to take proactive measures to protect their networks and systems from being compromised by IABs. Some of the best practices include:
- Implementing strong password policies and multi-factor authentication
- Applying security patches and updates regularly
- Monitoring network activity and detecting anomalous behavior
- Using encryption and backup solutions
- Educating employees about cybersecurity awareness
By following these steps, organizations can reduce their exposure to IABs and mitigate the impact of potential cyberattacks.