In the hard times of the pandemic, most organizations have incorporated the work-from-home or remote-working option to facilitate business continuity and timely deliverables. To connect employees’ remote devices with corporate networks, organizations often use VPNs, RDPs, and other means that allow them to work seamlessly from any remote place. However, this new norm has made the whole system vulnerable to cyberattacks due to various reasons like lack of adequate security on remote devices, no control of IT teams over employees’ devices, etc. Initial Acess Brokers (IABs) play the main role in leaking data on the dark web.
Who are IABs?
Initial Access Brokers (IABs) refer to threat actors whose main aim is to collect accesses (e.g., credentials) and sell them in the access market for personal gains. These threat actors do not perform full-fledged cyberattacks as they do not have sufficient resources or skills to bypass corporate cybersecurity measures without getting traced. So, they sell these accesses to different threat actors for quick money. IABs coordinate with other threat actors (ransomware developers, APT groups, ransomware affiliates, and black hat groups) in targeting people and making money.
Relationship of IABs with Other Threat Actors
IABs choose high-profile victims or organizations that look attractive (wealthy) to ransomware developers. These ransomware developers get initial accesses from IABs and deploy ransomware on the victims’ systems with the help of ransomware affiliates to encrypt/lock the data stored on the target systems. Ransomware developers also provide Ransomware as a Service (RaaS) for making the work of other threat actors easier to exploit victims’ systems, eliminating the need for developing ransomware every time they target a victim. The main objective of ransomware affiliates is to continuously find and infect new victims. They contact IABs to gain initial access in order to deploy ransomware using secret forums where accesses are sold.
How do Initial Access Brokers (IABs) Operate?
For gaining access, IABs usually follow these steps:
- Target selection: IABs target large and high-profile victims that can benefit them and other threat actors (ransomware affiliates and developers).
- Attack: After finalizing a target, IABs use a suitable attack vector that can work best for them depending on the target’s security maturity. They generally exploit endpoint vulnerabilities (e.g., VPN vulnerabilities and misconfigured RDPs) and use social engineering (e.g., phishing) for stealing access.
- Internal reconnaissance: After gaining access, IABs enumerate the environment and try to know more about internal networks and directories. They then retrieve useful information such as domain users, ACLs, trust policies, computers, and domain controllers using PowerShell tools.
- Identify a buyer: Once IABs collect all relevant information, they look out for potential buyers who are interested in buying accesses using access markets and underground forums on the dark/surface web.
IABs post advertisements on these markets/forums to attract potential buyers by listing the details of the target organization, including the organization’s sector, net worth (in dollars), and the number of computers & users. These advertisements also contain the cost of access or the price for getting the access details.
Wrapping Up
In this pandemic situation where organizations need to cope with these challenges, practicing some security best practices can help them go a long way:
- Implement strong security policies that force users to follow cybersecurity hygiene and use complex passwords.
- Have processes in place that allow security audits and regular updates.
- Use cybersecurity tools and platforms for real-time monitoring of the dark and surface web for detecting compromised accesses and data.
For more information on this topic, refer to IAB threat and IAB responsible for ransomware attacks articles.