Initial Access Broker Activity Doubles in a Year

Written by

Security researchers detected twice as many cases of corporate access being sold on the dark web by initial access brokers (IABs) last year as during the previous 12 months, with the number of brokers also surging.

Group-IB spotted 2348 instances of IAB sales activity between H2 2021 and H1 2022, with the number of countries in which victim organizations are located also increasing – by 41% to a total of 96 during the period.

US companies were the most popular targets, while in terms of sectors it was manufacturing (5.8%), financial services (5.1%), real estate (4.6%) and education (4.2%) that were most frequently targeted.

Compromised RDP (36%) and VPN (37%) accounts were most commonly offered by IABs, according to Group-IB’s report, Hi-Tech Crime Trends 2022/2023.

The number of brokers also grew, from 262 to 380 during the period, which led to a 50% drop in prices for IAB access to $2800. That led to a slight shrinking of the size of the global IAB market – down by 8.5% to $6.7m.

Group-IB also found the IAB market increasingly saturated with logs obtained by information-stealing malware. It detected over 96 million up for sale, including 400,000 highly sought-after Single Sign-On (SSO) logs, of the sort purchased by the threat actor behind the recent Uber breach for just $20.

These offerings are democratizing cybercrime to those with limited technical skills, warned Group-IB CEO, Dmitry Volkov.

“With remote work and SSO services becoming more prevalent, instances of access to corporate networks started appearing in stealer logs more often. Attacks on companies through their employees will become one of the main infection vectors,” he warned.

“A silver bullet against such attacks doesn’t exist. The trend highlights the need for companies to improve their cybersecurity across all layers, including training employees to respond to social engineering, enhancing detection and response capabilities, and of course, monitoring the cyber-criminal underground for compromised employee records and offers to sell access to their networks.”

Thanks in part to a thriving IAB market, ransomware actors increased their victim count last year.

Some 2886 companies had sensitive data published on ransomware leak sites over the reporting period, a 22% increase on the previous year. However, many more victims may exist which didn’t feature on such sites, as they paid up straight away.

What’s hot on Infosecurity Magazine?