Researchers find access brokers focused on US targets

Freelance cybercriminals are selling the network access of predominantly U.S. organizations to ransomware groups and other threat actors, according to new research.

Two reports this week tracked the activity of initial access brokers and how they advertise their services to fellow cybercriminals on dark web marketplaces. The access brokers compromise networks and sell credentials to other threat actors such as ransomware operators, who then steal data and extort the victims for money. 

The first report from CrowdStrike analyzed advertisements dating back to 2019 and found several recurring themes, as the access brokers seemed to show clear preferences in which organizations to target and where they were located.

"Access brokers have advertised organizations from more than 30 different sectors, demonstrating an eclectic range of targets," CrowdStrike explained. "Among these, the academic, government and technology sectors were the most frequently advertised, accounting for a combined 49% of the total advertisements."

While the most popular targets advertised, academic institutions were not the most lucrative for access brokers.

According to the CrowdStrike team, companies operating in the government and financial sectors were the most valuable for malware writers, with advertisers fetching average costs of $6,151 and $5,855, respectively. Less valuable were access to networks run by insurance providers ($1,724) and technology companies ($2,667).

Location also plays a major role in deciding who gets targeted and sold to ransomware groups. According to CrowdStrike, 55% of the targets advertised by data brokers were based in the U.S. Brazil was a distant second, with just 8% of all access broker ads.

"This geographic targeting trend corresponds with other eCrime activity, including data theft campaigns that frequently result in stolen credentials being traded online in criminal underground marketplaces," CrowdStrike noted.

"Access brokers are known to purchase such credentials and abuse them to acquire access."

One reason the U.S. is so heavily targeted is because American organizations also tend to fetch the best prices. On average, U.S. victims net an access broker a return of $3,985. The U.K. was second at an average of $3,925, followed by Canada at $3,119. By comparison, an organization in the United Arab Emirates only nets around $1,275 on average, and a network in Germany only brings in around $1,288.

One of the more disturbing trends observed by the researchers was growth in targeting of healthcare providers. Between the first quarters of 2020 and 2021, the CrowdStrike team noted a significant increase in advertisements of healthcare targets.

"The increase corresponded with news of successful vaccination programs, potentially prompting increased interest among eCrime adversaries," said CrowdStrike.

"Law enforcement scrutiny of cybercrime targeting critical infrastructure, which includes healthcare, also likely impacted supply and demand for access to this sector."

In another report this week, threat intelligence firm Digital Shadows reported the access broker market has grown by 57% on the year. The report found that VPN access experienced significant growth in listings.

"As a consequence of diffused remote working models enforced in 2020, virtual private network (VPN) accesses were among the top three accesses listed in cybercriminal forums," Stefano De Blasi, cyberthreat intelligence analyst at Digital Shadows, wrote in a blog post about the new research. "This fact shouldn't come as a surprise -- unpatched software and weak credentials are unfortunately present on corporate laptops, making organizations vulnerable to external cyber threats."

That report similarly found that the U.S. was both the most popular and valuable region, accounting for approximately a third of all advertisements. However,  Digital Shadows researchers found that the access brokers they observed were charging much higher prices, with the average advertisement seeking $7,100 for network access.

Additionally, the Digital Shadows team found that the forums it observed placed a far higher value on access to companies in the tech sector, with those organizations fetching an average price of $13,607.

De Blasi noted that it's currently difficult to determine exactly who the advertised victims are because access brokers know dark web forums are being watched.  

"Outright naming the targeted organization was common practice in the beginning in order to give authenticity and prove value for the accesses," he said. "Now, the listings are usually heavily redacted of company names and logos in order to avoid detection by law enforcement or threat intelligence providers such as Digital Shadows."