On 18 January 2021, access to the American mining technology company Gyrodata was sold on the dark web. A month later, DarkSide, a ransomware group, claimed it had successfully conducted a cyberattack on Gyrodata.

It all began with “Babam”, an Initial Access Broker.

Today, hackers are increasingly structured in organized crime groups that copy some of the aspects of legal activities (customer support, marketing…).

And like in a market economy, each group has its own specialty.

Here is a little deep dive in the world of hackers with a focus on Initial Access Brokers in order to understand who they are, what they do (and how) and what are some of the ways to protect your company.

What are Initial Access Brokers and what do they do?

Browsing forums on the dark web, you can find this kind of ad.

It’s a listing of various companies, in different countries (Jordan, Thailand, Saudi Arabia…) with the number of employees, the company’s revenue, a type of access and a price.

This kind of ad is typical of an Initial Access Broker. A gang of hackers who sell access to a company’s IT system to other hackers in order to enable them to conduct a cyberattack on that target.

Initial Access Brokers sell access to companies like for example:

  • RDP (Remote Desktop Protocol) accesses, used to remotely access a computer
  • Company VPN (Virtual Private Network) accesses
  • Remote access to web shells Initial Access Brokers have deployed in order to sell them to the highest bidder
  • Access to virtual machines (VMware servers)
  • Active Directory accesses: credentials with domain administrator privileges are the most expensive

These can then be used to conduct cyberattacks with varying goals: cybers espionage, botnet setup, data theft… But mostly deployment of ransomware.

The price will vary based on the level of privilege of the access sold and the target company. Based on a survey by Kela, the average access costs $4600, and once sold a ransomware attack can occur in the month following the sales.

Some Initial Access Brokers have even refined their pricing model to include a percentage of any ransom paid following a ransomware attack.

All in all, Initial Access Brokers save ransomware groups from having to obtain a first foothold in a company, to conduct lateral movement and to reach a certain level of persistence. With this assistance, ransomware groups can focus on managing their affiliates and developing their payloads.

What are the techniques used by Initial Access Brokers?

How do these groups obtain privileged accesses? They have a wide range of techniques among which:

  • Exploiting vulnerabilities from software that is not up to date to penetrate the network they are used on
  • Using brute force techniques, potentially effective especially in the absence of multi-factor authentication
  • Exploiting vulnerabilities linked to Microsoft’s Remote Desktop Protocol by scanning the web for un-secured RDP ports
  • Finally, using phishing and spear-phishing is a very effective tool in the Initial Access Broker’s arsenal, especially given users’ habit of clicking on emails they receive

Let’s look at an example of this last technique: the group Exotic Lily (often linked to the ransomware group Conti). Here is the group’s technique to obtain accesses via phishing (and especially spear-phishing):

Exotic Lily conducts targeted attacks which include spoofing of employees or companies in order to gain the target’s trust. The group’s email phishing campaigns are mainly run by human operators (the analysis of the group’s communication logs indicates that its operators mainly work a 9 to 5 and… don’t work on the weekends). It’s an effective spear-phishing approach that differs from the mass phishing attacks of other groups.

We can highlight the following aspects of Exotic Lily’s approach:

  • The lack of automation which makes the phishing emails more subtle
  • The use of OSINT to gather knowledge on a target, and the impersonation of fake or legitimate companies and human contacts
  • The use of legitimate file-sharing services like WeTransfer, TransferNow or OneDrive to send a notification that leads to the deployment of a loader (like BazarLoader for example)
  • Progressive steps: first, gain trust of the target’s teams and only then deliver the payload

This progressive and targeted approach is difficult to detect or block by relying simply on antispam software or a secure IT network.

An example of a fake profile created by Exotic Lily for spear-phishing campaigns

What can be done to protect your company?

There’s a real risk of having Initial Access Brokers provide access to your company in order for other groups to conduct a ransomware attack.

Fortunately, there are certain steps that can help decrease this risk:

  • Reinforcing the safety of existing accesses: this includes using unique passwords (and often using a password manager) and activating multi-factor authentication (even though it can be bypassed, it remains an important protection against hackers)
  • Updating all software: Updates must be installed as soon as they’re available. This prevents hackers from exploiting known vulnerabilities in commonly-used tools
  • Protecting your users: As we’ve seen, some groups operate through targeted spear-phishing attacks. It’s therefore important to protect your users against these types of attacks, especially since they are particularly vulnerable to them. At Mantra, we believe that regular awareness courses are necessary in order to achieve this, but also that training through practice with realistic phishing simulations enables users to be able to detect spear-phishing attacks
  • Keeping an eye out: checking the dark web for mentions of your company can help you anticipate leaked accesses and shut them down before a cyberattack