Cybercrime is an economy, and as with every economy, there are brokers. Initial access brokers (IABs) are a key piece of the criminal market: they specialize in selling access to compromised systems to other criminals. IABs make many attacks and data breaches possible by selling information to less skilled cybercriminals. How can you stop them from selling your data?
How Flare Monitors Initial Access Brokers
How can Flare use threat intelligence to monitor IABs?
Flare automates the process of scanning for external threat exposures. By detecting them faster with Flare, security teams can better address mitigation.
Why use Flare to monitor initial access brokers?
The second piece of defending against access brokers is knowing if they are actually selling your information. By scanning the places where criminals gather to buy and sell illicit data (such as the marchés du dark web and prominent threat actor communities), Flare provides your organization with insights about the transactions that are taking place. As soon as your information appears where it shouldn’t be, Flare will notify your team with alerts.
What do you get with Flare’s solution?
- Automated continuous monitoring: En utilisant an automated solution you get 24/7 coverage of your threat exposures, so you will know as soon as there’s a threat.
- Relevant notifications: Flare cuts through the noise, sending you alerts when it detects your organization’s name, employees’ names, domains, IP, or any other key data.
- Proactive cybersecurity: By scanning for potential threats, you can catch breaches early and take steps to protect your data, systems, and networks from would-be attackers.
Flare has conducted research on IAB posts in the Russian hacking forum Exploit, where we observed malicious actors selling access to companies across dozens of industries including defense, energy, manufacturing, and telecommunications.
Keep reading about IABs below, and to check out our report on IABs: Courtiers en accès initial, forums de piratage russes et économie souterraine de l'accès aux entreprises.
Initial Access Brokers: An Overview
Qu'est-ce qu'un courtier d'accès initial?
Initial access brokers (IABs) are cybercriminals who specialize in obtaining and selling access to compromised networks, systems, or accounts. Like any broker, an IAB acts as an intermediary between the criminals who’ve gained access to a target and those who wish to exploit that access by deploying ransomware, stealing data, or conducting further network exploitation. By bringing buyers and sellers together, they have become a linchpin of the cybercrime economy.
Where do IABs sell information?
Initial access brokers operate primarily in the shadows of the internet, using various platforms and methods to conduct their activities. Here are some of the key environments and platforms they use:
- Dark web marketplaces: IABs frequently use dark web marketplaces to advertise and sell access to compromised systems. These marketplaces provide a level of anonymity and security, making them ideal for illegal transactions.
- Underground forums: Cybercriminal forums, often accessible only by invitation or through specific networks, are common places where IABs offer their services. These forums can range from general cybercrime discussions to specialized groups.
- Encrypted messaging apps: Des plates-formes comme Telegram, Signal, and Discord are often used by IABs for communication and transactions. These apps provide encrypted communication channels, making it harder for law enforcement to track their activities.
How do IABs get access to your networks?
Les IAB se concentrent sur l'obtention d'un accès non autorisé aux réseaux en utilisant diverses techniques, notamment :
- E-mails de phishing
- Attaques par force brute
- Pulvérisation de mot de passe
- Ingénierie sociale
Why are IABs a threat to your business?
IABs are dangerous for many reasons — they enable espionage, fraud, and disruption of business operations. However, one of the biggest threats of access brokers is their role in enabling ransomware attacks. By selling access to networks, they provide ransomware operators with the initial foothold they need to deploy their malware, potentially leading to significant financial losses, operational disruptions, and reputational damage.
Intégrez en 30 minutes la base de données sur la cybercriminalité la plus accessible et complète au monde dans votre programme de cybersécurité.
Why should you be concerned about initial access brokers now?
Why is it important to understand IABs in today’s cybersecurity landscape?
Reporting by Flare shows that IABs are increasingly targeting entities within NATO member states, underscoring brokers’ extensive reach and the consistent potential threat they pose to national security and economic stability. While IABs are targeting a range of industries, there’s a clear trend of IABs targeting critical infrastructure as well as state-related industries, like the U.S. defense sector.
How have initial access brokers changed cybercrime?
IABs lower the barrier to entry for many types of cybercrime, making it easier for a wider range of threat actors to engage in malicious activities. This increases the overall threat landscape and complicates cybersecurity defenses. IABs also set prices, work directly with ransomware gangs, and are otherwise able to influence the criminal market.
IABs and the Ransomware en tant que service (RaaS) Écosystème
How can IABs make money outside of directly attacking companies?
Les IAB ne constituent pas un nouveau type d’acteurs menaçants, mais ils sont de plus en plus recherchés par la communauté clandestine des acteurs menaçants. À mesure que les organisations accéléraient leurs stratégies cloud, l’accès initial au réseau est devenu de plus en plus important pour les acteurs malveillants. Étant donné que les IAB disposent de compétences spécialisées, ils peuvent gagner plus d’argent en vendant des informations d’identification à d’autres acteurs malveillants que s’ils perpétraient leurs propres attaques.
Le modèle RaaS
Le modèle RaaS imite le modèle Software-as-a-Service, ce qui signifie que les acteurs malveillants vendent des packages de ransomware et l'infrastructure associée à d'autres cybercriminels avec deux identités principales de parties prenantes :
- Opérateur: crée et vend le code malveillant, l'infrastructure de campagne et les services
- Affiliation: achète le ransomware et déploie l'attaque
En vendant le ransomware, les opérateurs gagnent plus d’argent que s’ils le déployaient eux-mêmes. Parallèlement, cela permet aux cybercriminels moins expérimentés techniquement de déployer des attaques.
IAB : essentiels au RaaS
Pour exfiltrer des données dans le cadre d'une attaque de ransomware à double extorsion, les acteurs malveillants doivent obtenir un accès non autorisé aux réseaux de la victime cible. Les opérateurs de ransomware achètent l'accès initial auprès des IAB pour plusieurs raisons, comme la possibilité de :
- Fournir aux affiliés un produit complet incluant l'accès et les logiciels malveillants
- Concentrez-vous sur la mise à jour du code malveillant pour échapper aux outils de sécurité basés sur les signatures
- Augmenter leurs opérations commerciales criminelles pour générer plus de revenus
Opérateurs RaaS : essentiels pour les IAB
Les IAB bénéficient également de ces relations symbiotiques. Les IAB commencent souvent par faire de la publicité et vendre leurs informations d’identification sur le dark web. Cependant, à mesure qu’ils acquièrent une réputation au sein de la communauté, ils commencent souvent à travailler avec un seul opérateur RaaS, recevant essentiellement une rémunération pour avoir travaillé exclusivement avec un groupe. Cette relation protège les IAB en limitant leurs communications à travers l’écosystème plus large de la cybercriminalité, les cachant finalement aux forces de l’ordre ou aux équipes de sécurité qui surveillent le dark web.
How can you defend against access brokers?
- Monitor IAB forums: IABs understandably don’t want their victims to learn that their data is for sale. For this reason, their posts in forums are anonymized. However, it’s still worth monitoring IAB forums; combination of geography, revenue, industry, and type of access may be enough information to provide some organizations advanced notice that they have potentially been compromised. Flare recommends monitoring Exploit, XSS, and other IAB forums to receive advanced notice that access to your environment may be for sale.
- Surveiller journaux de voleur: Many threat actors distribute stealer logs across forums and Telegram channels. The stealer logs are likely a source of vectors for IABs, which may sift through enormous numbers of logs to find those with RDP, VPN, and other forms of corporate access which can be established, expanded, and resold.
- Implement endpoint detection and response (EDR): EDR would be the best method of possibly detecting the presence of an IAB.
To learn more about stealer logs and a massive continuous data leak, read the report Identités volées et logiciels de pillage de données : l'une des plus grandes brèches de données de l'histoire.
Initial Access Brokers and Flare
Flare est le leader Gestion de l'exposition aux menaces (TEM) solution for organizations. Our technology constantly scans the online world, including the clear & dark web, to discover unknown events, automatically prioritize risks, and deliver actionable intelligence you can use instantly to improve security. Protect your intellectual property from IABs by using Flare’s automated platform to scan for stolen data as well as mentions of your assets or organization.
Notre solution s'intègre à votre programme de sécurité en 30 minutes pour fournir à votre équipe des renseignements exploitables et des mesures correctives automatisées en cas d'exposition à haut risque. Voyez-le vous-même avec notre essai gratuit.