Access brokers on the rise in cybercrime market

• Hackers are now willing to pay six-figure sums for access data from access brokers.
• Access brokers are raising prices for stolen credentials.

Cyber threats are a real danger to businesses of all sizes. eCrime activity, in particular, continues to grow in volume and reach.

Last year alone, four out of five detected attacks were perpetrated by cybercrime actors, those hackers who seek to generate revenue through criminal activity in a variety of ways. They are constantly evolving their modus operandi.

CrowdStrike’s intelligence team closely monitors changes in the eCrime economy and in light of the unprecedented growth of cybercrime activity, recently unveiled the eCrime Index (ECX).

It reflects the strength, volume and sophistication of the cybercrime market and is updated weekly in real-time based on 18 unique indicators of criminal activity. One trend that experts are increasingly seeing: Access brokers are raising prices for stolen credentials.

Role of access brokers in cybercrime ecosystem

Access brokers, which are cybercriminals who steal access data from companies of various sizes and resell it in underground forums, are a kind of middleman in the ecosystem.

In doing so, they usually obtain the access information via commercially available malware, password guessing, or exploiting unpatched security vulnerabilities.

Among others, the hawked credentials are bought by ransomware actors. They use access to the victim company’s network to collect and encrypt data, then demand high ransom sums for decryption keys from their victims.

In addition, some of these perpetrator groups have increasingly begun exfiltrating data to threaten to release embarrassing or confidential information. A sort of backup plan to increase the pressure if a victim refuses to pay. 

It’s a business that seems to be doing well, as prices for access data to victim companies on underground forums continue to rise.

Although the price negotiations take place in private communication channels and are therefore only insufficiently visible, a strong trend is nevertheless emerging:

Hackers are now willing to pay six-figure sums for access data from access brokers! In return, they receive extensive information for their attack plans.

The access broker sales ads offered in underground forums are often structured similarly and provide potential buyer hackers with the most important key data about the victim company.

Among other things, the publicly reported turnover, the estimated number of employees or even the business field of the target organisation is named. In addition, access brokers often disclose information about the access method, i.e. whether it is VPN or RDP access. 

The ultimate price for the access data is influenced by various factors and is usually composed of the reported revenue of the respective company as well as its geographic tier.

The following three geo-clusters are made: Tier 1 covers the US, Canada, Australia, New Zealand and the UK.

Tier 2 covers Europe and Southeast Asia while the Middle East, Japan and South Korea are part of Tier 3.

Lucrative deals for access brokers

Prices vary depending on the type of access and the value of the targeted victim organisation: While the vast majority of accesses are sold at low prices, higher-priced deals increase the average price and this is reflected in the ECX.

In recent months, CrowdStrike Intelligence has observed prices for access ranging from five figures to as low as 10 bitcoin. 

An increasing purchase price for access indicates that cybercriminals are receiving a decent return on their investment. Ransom demands in the tens of millions of dollars illustrate how lucrative the market is and it is highly likely that prices for access to target organisations will continue to rise.

The access broker market is booming – all the more reason to take a hard look at the ever-changing threat landscape and its players to find effective methods against their tools, techniques and procedures (TTPs).

• Jörg Schauff is the Strategic Threat Intelligence Advisor at CrowdStrike.

Related posts:

• Bitcoin-inspired cyberattacks surge 192% as cryptocurrency prices skyrocket
• What are the ways to bypass NSO Group’s Pegasus spyware?
• Lasting impact of cybersecurity in 2020 elevates importance of CISOs
• Cybercriminals turn to bots and automation to make their attacks avoid detection