Ransomware threat actors depend on numerous cybercriminal skillsets to breach, disrupt, and extort organizations. One of these skillsets belongs to Initial Access Brokers (IABs), who are prominent players in the prolific RaaS (Ransomware as a Service) ecosystem. They help drive the proliferation of ransomware and Business Email Compromise (BEC) attacks.
In my conversations with organizations that Bitdefender serves, I sometimes explain what IABs do and how they lay the groundwork for another threat actor to take an attack to the next level. I recently discussed this in-depth during our new podcast series, CYBERCRIME: From the Front Line, and during a Bitdefender webinar, Hit From All Sides: Cyber Fraud Targeting Organizations that is available on demand. Below, I would like to share some details about IABs and their role.
What role does an IAB play? Initial access brokers facilitate the “break-in” to an organization like yours. If this were a home burglary we were talking about, IABs would smash the window or pick the lock and then walk away to let a different criminal access your house and steal your things.
In this case, IABs specialize in various methods to gain unauthorized digital access, including scanning for vulnerabilities and exploiting them or using phishing attacks and other social engineering methods to harvest credentials.
Once they are in your organization's environment, they establish persistence. They often create multiple access points in your environment just in case you detect and remediate one method. With access established, the IAB player sells verified access to your network to cyber threat actors on the dark web with different skillsets. Those threat actors use these open network doors to enter and move laterally across your environment as part of a ransomware attack or to enter and watch for pertinent transactions and data they can exploit for a successful BEC attack.
Here are specific ways IABs play a role in ransomware attacks.
IABs rely on automated systems and tools that scour the internet to discover vulnerabilities within an organization. This could include unpatched VPNs, vulnerable RDP systems, endpoint vulnerabilities or known vulnerable software. To further build out their library of victims, some IABs will conduct more involved phishing or brute-force attacks to compromise accounts. They may even utilize insider threats, such as disgruntled employees or employees willing to facilitate access.
Once a way into an organization is found, IABs do the grunt work of exploiting a vulnerability, system, software, or employee and ensure it leads to a compromise. To further cement the compromise or increase the odds of success, they may exploit multiple vulnerabilities within an organization.
Whether it’s a compromise via stolen credentials, vulnerable RDP systems, or an unpatched VPN, IABs need to ensure their access persists and that they can easily provide access back into an organization’s network since that is what they sell. This requires lateral movement within an organization, setting up multiple access points, or a web shell on the company’s site. These footholds establish persistence and ensure that even if the vulnerability is patched or a password is reset, the IAB still has access.
After gaining persistent access into an organization, they can classify their victims by verticals and post them up on well-known hacking sites, forums and even encrypted communication venues like Telegram. Threat actor groups might contact more experienced and reputable IABs directly to access a specific target.
After an IAB sells access to an organization, their job is done. They can either continue to sell access to more groups or look for another victim to compromise. On the victim’s side, whoever bought access can now execute the rest of the ransomware attack, deliver the malicious software and reap the benefits.
While Initial Access Brokers and their specialized skills are an essential part of the RaaS ecosystem, you may wonder what occurred to make this the case.
The pandemic forced many people to stay at home, increasing organizations’ reliance on RDP (Remote Desktop Protocol) and VPN technology to stay connected. These legitimate tools broadened the attack surface.
Around the same time, ransomware attacks evolved to include a double extortion element. Threat actors locked organizations out of their data and threatened to leak or expose the data if companies didn't pay a ransom. They often elevated the attack by utilizing the stolen information to extort employees, dox them, or carry out more targeted attacks to expedite payment.
These "business model improvements" expanded the ransomware ecosystem. This increased profitability dramatically, resulting in the rise of RaaS alongside additional intermediaries and affiliates whose involvement helped facilitate these attacks at scale.
This pivot also fostered specialized roles across ransomware campaigns, resulting in disparate functions that offered their services to a number of different threat actor groups. The improved efficiency, effectiveness, and shared risk across these groups made ransomware attacks much more attractive.
Initial Access Brokers (IABs) are one of these specialized roles and are essentially high-value middlemen that provide access as a service, monetizing that access while keeping their own risk lower because they don’t carry out the attack itself. In many cases, they lack the technical skills to deploy this kind of attack. If an organization detects a breach, the risk largely falls on whoever executed the ransomware attack, not the IAB. The IAB crew has monetized initial access and moved to their next target.
Bitdefender threat intelligence reveals that IABs target industry verticals like finance, healthcare, manufacturing, and government the most. Finance is always a high-value target but other industries on the list are also profitable targets as they’re known for having many vulnerable systems and fewer resources to protect themselves.
The emergence of IABs highlights the cyber threat landscape's evolution. Vulnerabilities are more likely to be exploited, and because IABs sell access, one organization may be victim to multiple attacks via a variety of threat actors.
For more on the types of cyber fraud targeting organizations, watch Episode 1 of CYBERCRIME: From the Frontline. And if you're looking to rapidly reduce your organizational attack surface, read more about Bitdefender GravityZone PHASR or watch the Global Launch Event. PHASR is the industry’s first endpoint security solution to dynamically tailor hardening for each user—ensuring that security configurations align precisely with user-intended privileges and behaviors and continuously adapt to shrink attack surfaces.
Together, the right strategy and tools can help create a layered cyber defense that significantly reduces your organizational risk.
tags
Bogdan Botezatu has spent the past 12 years as Director of Threat Research at Bitdefender. His areas of expertise include malware deobfuscation, detection, removal and prevention. Bogdan is the author of A History of Malware and Botnets 101. Before joining Bitdefender, he worked at one of Romania's largest and oldest universities as network administrator in charge of SecOps and policies.
View all postsDon’t miss out on exclusive content and exciting announcements!