Access-for-sale ads on dark web marketplaces have increased seven-fold over the last year, and the problem is getting worse. The ads offer access to enterprise networks to those who want to partner and work with the seller. It is another example of the cooperative way that cybercriminals join together to maximise the impact of an attack. It allows the attackers to focus on their specific skillsets to achieve maximum success for any attack.
The details of this increase in access-for-sale come in a new report from Positive Technologies. According to Yana Yurakova, an analyst at Positive Technologies: “With these realities in mind, a system for protection against cyberattacks may require a different approach. The threat actor model needs to be revised to guard against both access from low-skilled attackers and sophisticated methods of attack.”
The report says that the number of users placing adds tripled in Q1 2021 compared to the previous year. The company also stated: “Positive Technologies estimates that about $600,000 worth of corporate network access is sold on the dark web on a quarterly basis. Interestingly, the share of expensive access lots priced above $5,000 almost halved. This may reflect mass entry into the market by novice cybercriminals.”
Not every access is what it seems
Interestingly, the researchers note that every access being offered for sale may not be as it seems. They point out that the number of ads with a price below $1,000 had now reached 45%. This might be in part due to the saturation of the market, but there is another explanation. The researchers say: “Cheap access typically carries no access privileges, and it is usually offered by inexperienced cybercriminals who are afraid of following through with the attack.”
The report lists five criteria by which the cost of access is assessed:
- Number of computers to be exposed
- Account privileges
- Company size
- Corporate revenue and other financial indicators
Which industries are being hit the most?
The researchers also looked at the most hit industries. They saw services overtake manufacturing for the top spot in the access-for-sale market. One reason for this change is likely to be that manufacturers have tightened their security after numerous high profile attacks.
In third place, research and education has overtaken finance. This is likely to be driven by continued attempts to steal intellectual property from research organisations and universities. Additionally, as reported by NTT Ltd earlier this year, universities have seen a significant increase in crypto-mining attacks. Many have large sprawling networks that have been underused with students at home. It has meant a lot of spare computing capacity that crypto miners have exploited.
What is needed now is for organisations to do more to track risk. Apple, Microsoft and other vendors have begun to alert users when cached credentials are found on the dark web. Enterprise IT departments need to add this capability to their security processes. It will allow them to react to at-risk credentials to prevent them from being sold for access. They also need to work harder to block and delete unused accounts.
Enterprise Times: What does this mean?
Access-for-sale is nothing new. The issue here is the scale at which credentials are being sold. It doesn’t matter that an increasing number of those credentials have limited to no real privileges. For a skilled attacker, any access is an opportunity to start an attack. The growth of living off the land attacks shows that attackers only need an initial foothold into an organisation to begin an attack.
Organisations need to do more to manage access control. This is about internal processes to suspend or delete accounts when they are no longer needed. They also need to continue educating their staff and getting them to respond to warnings from browsers about compromised credentials. As the number of compromised credentials grows, so does the risk of a serious data breach or malware attack.