It now appears that Cyber-criminals targeting corporate networks can just buy the access keys for a fee.
A worrying developing trend is growth in access-mining as a service, which is noticeably making it easier for cyber-criminals who are targeting corporate networks. No longer are advanced skills now needed it seems to break into a network. They can buy the ‘keys’ for a nominal fee. When inside, they go for lateral movement and the so-called ‘island hopping’ techniques, shows recent research. This means even if you are sure that one’s own network credentials are not up for purchase, those of your partners and/or suppliers could be, thus resulting in potential risk exposure to you & to your organisation.
To understand how this ‘service’ has evolved and what it means in a world where potentially destructive attacks are growing more frequent, helps in organising a suitable response.
A Dark Economy shares many aspects of its normal counterpart. Supply & demand are key drivers as usual, & its purchasers are just as discerning. New products get launched, & are often high-priced, which reflects the initial R&D that has gone into development, as is often found in the broader economy. As demand for the product happens, the market matures, and more suppliers enter the fray. As the product becomes commoditised suppliers seek ways to increase the sector and swiftly monetise what they have up for sale. It happened with ransomware and it is what is being seen with access mining.
From the seller’s viewpoint, access-mining-as-a-service makes business sense: steal only once, sell many, many times & maximise the return on this investment and the risk of compromising the target system. Kind of a ‘capitalism on steroids.
Many marketplaces are now listing both access credentials, & also direct access to systems themselves that are available to buy. This practice becomes more common, & then prices begin to drop. You can now buy remote desktop protocol (RDP) logins for all sorts of systems throughout the world, & many of which are found inside key businesses & are now selling for less than £8 per credential-set/system on multiple darknet marketplaces.
Darknet marketplaces are showing all the signs of a mature economy. They are branded, they compete for dominance and even run their “special offers”. Customer service includes aspects such as “try before you buy” where possible purchasers can use a 3rd-party crypto currency escrow system to fully validate the authenticity of their purchase before allowing funds to transfer to the seller. One of the more prominent mechanisms available to establish a certain level of ‘trust’ in anonymous & criminal marketplaces.
Here to stay
Analysis of the availability of access-mining-as-a-service indicates that the trend is permanent. Steady growth in numbers of compromised systems for sale is being added to darknet marketplaces. There is clear evidence of market forces as well. Hackers are now offering access in combination with stolen data & intellectual property gained during their first-time mining activity can expect prices around £240,000 plus, particularly for high-value assets posted in the much more private invite-only marketplaces. This is similar to a ‘bundling package’ offered by ‘legit’ commercial enterprises.
What does this mean?
Recent research among incident response professionals shows ‘Island Hopping’ now accounts for 41% of attacks, an increase of 5% on previous assessment. This is good evidence that increasing numbers of cyber-criminals are using ‘Island Hopping’ as a defined tactic, &, given the increasing availability of access-for-sale, it can be assumed that this is because the barrier to entry has been reduced..
Energy & Utilities
There are also now reports of destructive/integrity impact in 41% of attempts. This represents a 10% rise on previous assessments, and may also reflect recent rises in world tension, as politically motivated attacks often are ‘weaponised’, & therefore more focused on destruction or disruption. Also, analysis of attacks seen during 2019 has indicated that Energy & Utilities were the single most commonly targeted sector, Which, shows a move towards bridging the gap between the digital & physical worlds it appears.
Following conversations on darknet forums, that focus on causing real-world damage through impacting corporate systems, and degrading physical infrastructure, reveals unfortunately increasing trends in people from a range of backgrounds investigating the possibilities of this information being made readily available.
Previously, most of this would be dismissed as nonsense among those lacking the actual technical skills to action their malign ambitions. By ‘lowering the bar’ to gain initial network access and the new ways of obtaining & modifying commodity malware such as ransomware, this now means that more ‘bad players’ are now capable of this sort of attacks, than was previously the case.
The rise in access-mining-as-a-service and the associated jump in ‘Island-Hopping’ has implications for the way network defenders approach their task. Rather than focusing on the front gate, security professionals will need to accept the high probability that intruders are already inside the network. The next activity is to hunt them out by identifying indicators of compromise associated with lateral movement, and stopping them before destructive attacks are launched, or their network is used as a stepping-stone to more attractive targets through exploiting existing trust-relationships.
Defenders also need to think in bigger scale about the overall risk exposure. Continued trend towards more heightened integration of cyber and physical networks offers more risk for an organisations physical infrastructure, such as electricity, gas, water, buildings, transport systems, and more to be compromised. IoT devices are often insecure out of the box, while industrial control systems (ICS) may be run by third-party providers with little to no security. Similar to a major malware outbreak, compromise of these systems can cause very serious disruption, so the level of exposure to these risks must be monitored and, if necessary. remedial action taken.
Access Mining as-a-service
As ‘access mining-as-a-service’ grows in market popularity, prices drop and the bar to network compromise is lowered, defenders must think strategically about how they confront this risk. The sheer scale of potential attacks and their rising sophistication means prevention is not possible all the time. Efforts need to focus on how to identify actors already in the network and restrict lateral movement, so even those who have bought the keys find they cannot unlock all doors.
That such a criminal marketplace even exists shows the utter contempt by the perpetrators for enforcement organisations, and effective policing’s real-world limitations.