Initial Access Brokers Are Breaking Into Corporate Networks and Selling Access to Bad Actors

A new class of threat actors – middlemen who connect threat actors to intended victims - is targeting remote users, IoT devices. Experts warn it’s time to secure the endpoint edge.

The report “Rise of Initial Access Brokers” examines the new role that Initial Access Brokers are playing at the top of the cyberattack kill-chain funnel.

IABs are de facto ‘middlemen’ whose business model is exactly what the name implies: they breach as many companies’ networks as they can. They then sell to the highest bidders that access victims. The buyers are often ransomware groups.

IABs have been proliferating lately largely because of the pandemic and the ensuing Work-From-Home migration. Workers who are logging into systems remotely and connecting from untrustworthy Wi-Fi networks create an exploitable vector of attack. Cybercriminals are exploiting this by scanning at scale for vulnerabilities which allow remote access, such as in virtual private networks (VPNs), and selling this access.

The $7,100 average selling price for access takes into consideration a victimized organization’s revenue, the type of access sold, the number of employees, and the number of devices accessible. RDP (remote desktop protocol) access, the most frequently listed access type for sale, let a threat actor take over a victim’s computer. RDP access typically goes for around $9,800.

The FBI notes that ‘RDP is still 70-80% of the initial foothold that ransomware actors use.’ RDP is believed tied to the Oldham Florida Water Treatment Facility attack, in which attackers attempted to alter the chemicals added to the public water supply.

Beyond the Remote User – As IoT Continues to Grow, So Do System Vulnerabilities

IABs are seeking to expand their offerings by also targeting a new threatscape: IoT devices. They see them as “low-hanging fruit” points of entry to corporate networks.

IoT devices are used as an entry point into the larger corporate networks, where the most valuable data resides because they aren’t built with security in mind. Legacy IoT devices such as servers, modems, PLCs, controllers, and networked medical devices are especially vulnerable as they are incompatible with modern security software agents.

Understanding the traffic at the edge of the corporate network is something that network administrators have long desired since they know their devices are exposed when connecting to any network.

A lot of remote access tools/protocols require local network and device configuration changes, which creates additional risk by exposing internal endpoints directly to the internet – a simple Shodan search confirms this. Once the attacker gains initial access to these exposed endpoints, it is difficult to remove this foothold from the network, let alone prevent it from spreading laterally, highlighting why IABs have become so prevalent.

Because of this, some organizations have even gone so far as to ban remote access to their systems altogether, forcing administrators and technicians to service endpoints physically on site. In a remote-friendly world, a better solution is necessary.

Securing Endpoints: Blocking Access to the Corporate Network

One strategy for mitigating risks of initial access at the edge is micro-segmentation using a secure endpoint edge device.  The main premise behind micro-segmentation asserts that the endpoint is never directly exposed to the network – it is isolated onto its own “micro-segment of one.” It enables organizations to own control of their edge by ensuring the traffic that flows to and from the endpoint flows to it on its own micro-segment.

Micro-segmentation also allows for Zero Trust Remote Access through what is called the “Secure Lobby”; Instead of an administrator configuring the perimeter to allow traffic to the endpoint directly, the secure endpoint edge acts as the gatekeeper to the endpoint, while maintaining full isolation from the rest of the network.

With Secure Lobby, both the remote user and secure endpoint edge “meet” in the lobby through an encrypted connection. The administrator can now remotely access the micro-segmented endpoint securely and perform any type of monitoring, updating, or patching necessary, without exposing the endpoint to the internet.

This is game-changing for secure remote management because attackers will no longer have direct access into endpoints, thus helping to eliminate the business of Initial Access Brokers all together.