In its latest research, security specialist Positive Technologies documents how the market enabling initial access to corporate networks has evolved through 2020 and into early 2021, and reveals that the number of ‘access-for-sale’ ads on the dark web has increased seven-fold compared with previous years.
Sample dark web forum ads
The cybercriminal profile is changing
The company’s researchers believe the cybercriminal profile is changing in multiple ways; the profile of an external intruder who gains initial access to a corporate network is different from the criminal who follows through with the attack once inside—most importantly, the two have different skillsets.
The person who hacks the perimeter can range from novice to pro, even a specialist with very specific technical abilities. The attack on the local network, on the other hand, will be conducted by skilled hackers or cyber-thieves who purchase the access on a dark web forum. Once they have the resources needed, the criminal activities can be initiated. These range from theft of funds to lasting disruption of business operations.
“With these realities in mind, a system for protection against cyberattacks may require a different approach,” said Yana Yurakova, an analyst at Positive Technologies. “The threat actor model needs to be revised to guard against both access from low-skilled attackers and sophisticated methods of attack.”
New offers on dark web forums
Positive Technologies researchers note that ads promising access on dark web forums increased with each quarter throughout the observed period. As many as 590 new offers were identified in the first quarter of 2021 alone, representing 83% of all offers in 2020.
“The market for access to corporate networks has evolved in the past few years,” said Vadim Solovyov, Senior Information Security Analyst at Positive Technologies. “It could be assessed as mature as early as the beginning of 2020. A factor that contributed to this level of development is an increase in ransomware attacks: members of ransomware partner programs often use offers available on the initial access market.”
In the first quarter of 2021, the number of users who placed ads for buying and selling access and also for seeking hacking partners tripled compared to Q1 2020.
Corporate network access is sold on the dark web
Positive Technologies estimates that about $600,000 worth of corporate network access is sold on the dark web on a quarterly basis. Interestingly, the share of expensive access lots priced above $5,000 almost halved. This may reflect mass entry into the market by novice cybercriminals.
“As we can see, most companies who had access to their networks put up for sale by cybercriminals belong to the services (17%), manufacturing (14%), and research and education (12%) industries,” added Yurakova. “Note that the share of industrial companies and financial institutions, whose networks are typically more expensive to hack, decreased somewhat. This may be attributed to the fact that the initial access market is served by lower-skilled actors who prefer easier victims.”