{"id":17622,"date":"2022-02-28T10:00:00","date_gmt":"2022-02-28T09:00:00","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=17622"},"modified":"2022-04-25T13:59:31","modified_gmt":"2022-04-25T12:59:31","slug":"cdt-watch-february-2022","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/02\/cdt-watch-february-2022\/","title":{"rendered":"CDT Watch \u2013 February 2022"},"content":{"rendered":"\n

DECRYPTION<\/strong><\/h1>\n

T<\/span><\/span>HE RISE OF INITIAL ACCESS BROKERS<\/span><\/span><\/h2>\n

As seen in the underground economy edition, the cybercriminal economy relies on the professionalization and specialization of its system. Among the main actors of this ecosystem, such as the Bullet Proof Hoster or the RaaS, the Initial Access Brokers (IAB) have become more and more crucial these last years.\u00a0<\/p>\n

\u00a0<\/p>\n

What is the IAB\u2019s role in the underground economy?\u00a0<\/strong>\u00a0<\/p>\n

They are providers of victims\u2019 access. They scan the web for vulnerabilities, send phishing e-mails or try to use brute force to get hold of the passwords of company employees, or even create persistent access in the victim\u2019s network. Those ready-made ‘access’ are sold on the dark market: depending on its level of quality, prices can range from $1K to $100K. The average selling price of initial access to a network is $7,100.<\/a> Price is based on the organization\u2019s revenue, type of access sold, and number of devices accessible. For example, Access to an <\/u>Australian company with 500 million USD in revenue<\/a> that enables an attacker with \u201cadmin\u201d level of privileges has been offered for 12 BTC, and access to a Mexican government body for 100,000 USD.<\/a>\u00a0<\/p>\n

The market of corporate initial access grew by almost 16% in H2 2020\u2013H1 2021, from $6,189,388 to $7,165,387. <\/u>The number of offers to sell access to companies almost tripled over the review period: from 362 to 1,099.\u00a0<\/a> The geography of initial access brokers\u2019 operations has also expanded: if the US-based companies are the most popular victims (<\/u>30% in 2021), the European companies access sold was multiplied by three between 2019 and 2021. <\/a>French companies were the most popular lot for sellers of access to compromised networks \u2013 they accounted for 20% of all victim companies in 2021 in Europe, followed by the UK (18%).<\/a>\u00a0<\/p>\n

Finding and selecting access opportunities represent an essential but very time-consuming piece of the current \u201cransomware business model\u201d. By monetizing this activity, the IABs are offering a huge advantage of time and energy for the buyers, who can select from a menu of options, picking victims based on their revenue, country, and sector, as well as the type of remote access being offered.\u00a0<\/p>\n

\u00a0<\/p>\n

What kind of access are we talking about?<\/strong>\u00a0<\/p>\n

One of the main trends of the IAB market is the diversification of access Grows. If RDP and VPN are still the most common offer, new attack vectors such as access to VMWare\u2019s ESXi servers have become quite popular.\u00a0<\/p>\n

According to several types of research<\/a>, the kind of access mostly sold are\u00a0\u00a0\u00a0<\/p>\n