Statistics collected by cyber-intelligence firm KELA during this year’s second quarter show that marketplaces selling initial access to corporate networks have taken a blow.
More specifically, although the number of the offerings remained similar to last quarter, averaging 184 access listings per month, the cumulative requested price was $660,000, which is 0% of Q1 ’22 figures.
Additionally, the average price for network access in the recent quarter was only $1,500, whereas, in Q1 ’22, access to networks was sold at an average of $3,000, dropping the price by half. The median price also dropped from $400 to $300.
Why is this happening?
Initial access brokers (IABs) are a category of hackers whose business is tightly linked to ransomware operations, and the fundamental shifts in the latter’s tactics have played a key role in the change in marketplace prices.
Ransomware gangs folded their operations and became more careful with their targets as the threat from law enforcement became too significant starting late last year.
Notorious operations like the DarkSide shutdown, and large crime syndicates like Conti exited abruptly, and the groups that continue like LockBit, Black Basta, ALPHV, Quantum, and Hive, have all reduced the volume of their activities.
As Coveware explained in its Q2 2022 ransomware report, threat actor groups now tend to target exclusively mid-sized companies, aiming for a balance between low risk and significant financial rewards.
The more narrow the targeting scope, the fewer the valid network access options, so many of the “higher-stake” listings previously considered valuable are now passed over.
The effect is enhanced by the exit of extortion groups like Lapsus$ and Stormous, which suffered from law enforcement heat in Q1 ’22 and are yet to return to regular operations, thus further reducing the demand for network access.
This market pressure has pushed some IABs to pivot to ransomware operations as they strive to make a profit, announcing the formation of nascent small teams that will “lock, exfiltrate, and pivot.”
Using fresh exploits
This quarter, network access brokers focused on scanning endpoints for vulnerabilities that had been recently disclosed to gain access by using publicly available exploits.
For example, a prolific hacker nicknamed “r1z” offered access to 50 U.S. companies through CVE-2022-26134, a remote code execution flaw impacting Atlassian Confluence, discovered as a zero-day on June 2, 2022.
Hackers used the particular vulnerability for deploying AvosLocker and Cerber2021 strains mere days after disclosure, while “r1z” also sold a list of 10,000 vulnerable endpoints for those interested in compromising them themselves.
This focus was also reflected in the offerings of 1-day exploits, helping hackers target companies that didn’t patch their systems immediately. According to KELA, the price of good RCE and LPE exploits starts from $5,000.
Should you be worried?
Initial access brokers and ransomware gangs are part of the same supply chain, and while their operations have languished lately, they’re far from over.
Companies should ensure that they are applying the available security updates on all software products they use to reduce the chances of network breaches.
Moreover, applying network segmentation, least privilege principles, and robust perimeter defense and detection systems helps keep IABs out.
Planted webshells and injected backdoors by IABs usually don’t result in immediate cyberattacks, so there’s always a window of opportunity to detect the breach before damage is done.