Researchers at the consulting company Accenture assessed the situation with the sale of access to hacked networks on dark web sites. As it turned out, in three years the demand for this “product” has grown significantly, and such offers are of great interest to distributors of ransomware.
Outsourcing of gaining access to the corporate network relieves such attackers from the time-consuming and overhead stage preceding a targeted attack. In addition to cracking, the preparations for the attack generally also implies consolidation of the network and the lateral promotion network of the victim for the purpose of distributing malware to other machines
According to the results ofAccording to a study conducted by Accenture, the number of offers for the sale of network access in the dark web is growing steadily, while in 2017 they occupied a very modest niche in the market. Sellers usually post such announcements on closed forums in a single thread - for the convenience of buyers - and accompany the following information:
As of September of this year, researchers have counted a dozen or so regular network access sellers in online darkweb markets, offering it at prices ranging from $ 300 to $ 10,000, depending on the size of the network and the target company's revenue. It is noteworthy that those forums where such hackers live are also full of advertisements for the distribution services of Maze, Lockbit, Avaddon, Exorcist, NetWalker, Sodinokibi and other ransomware aimed at corporate networks. Although the link between selling network access and a specific cyber attack is difficult to establish, researchers believe that some ransomware operators regularly take advantage of the outsourcing option.
Analysts also determined that networks are currently hacked using the RDP protocol, less often through vulnerabilities in Citrix and Pulse Secure VPN clients . Apparently, hackers are taking advantage of the fact that, due to the threat of COVID-19, many companies have transferred employees to remote work, and the need for tools to access workplaces has increased greatly.
Attackers have also begun using zero-day exploits to hack networks for commercial purposes, and several vendors, according to Accenture, are trying to adapt the recently leaked Cerberus source code for these needs .
The researchers expect that the mutually beneficial relationship between network access sellers and ransomware distributors will grow stronger over time, so they recommend that businesses take the following measures:
Outsourcing of gaining access to the corporate network relieves such attackers from the time-consuming and overhead stage preceding a targeted attack. In addition to cracking, the preparations for the attack generally also implies consolidation of the network and the lateral promotion network of the victim for the purpose of distributing malware to other machines
According to the results ofAccording to a study conducted by Accenture, the number of offers for the sale of network access in the dark web is growing steadily, while in 2017 they occupied a very modest niche in the market. Sellers usually post such announcements on closed forums in a single thread - for the convenience of buyers - and accompany the following information:
- victim specialization (vertical);
- the countries in which it does business;
- type of network access (RDP, VPN, etc.);
- the number of machines in the network;
- additional information (for example, number of employees, income).
As of September of this year, researchers have counted a dozen or so regular network access sellers in online darkweb markets, offering it at prices ranging from $ 300 to $ 10,000, depending on the size of the network and the target company's revenue. It is noteworthy that those forums where such hackers live are also full of advertisements for the distribution services of Maze, Lockbit, Avaddon, Exorcist, NetWalker, Sodinokibi and other ransomware aimed at corporate networks. Although the link between selling network access and a specific cyber attack is difficult to establish, researchers believe that some ransomware operators regularly take advantage of the outsourcing option.
Analysts also determined that networks are currently hacked using the RDP protocol, less often through vulnerabilities in Citrix and Pulse Secure VPN clients . Apparently, hackers are taking advantage of the fact that, due to the threat of COVID-19, many companies have transferred employees to remote work, and the need for tools to access workplaces has increased greatly.
Attackers have also begun using zero-day exploits to hack networks for commercial purposes, and several vendors, according to Accenture, are trying to adapt the recently leaked Cerberus source code for these needs .
The researchers expect that the mutually beneficial relationship between network access sellers and ransomware distributors will grow stronger over time, so they recommend that businesses take the following measures:
- establish monitoring of the dark web in order to timely identify potential threats;
- regularly back up important files and isolate the storage from the network;
- update antiviruses in automatic mode and provide scheduled scans;
- regularly check the logs for signs of the presence of known ransomware;
- draw up an action plan for responding to cyber incidents and quickly restoring the normal operation of the enterprise;
- conduct trainings for employees, teaching them the rules of safe use of email and helping to recognize malicious emails.