Nowadays, hackers have a couple of options for gaining access to an organization's network. They can do it the old-fashioned way by hacking into it themselves, or they can purchase an exploit that gives them access.
But there is another way that is becoming more common, and that is using access-as-a-service to gain entry to networks.
In a recent SecureWorld Sessions podcast episode, Mayra Rosario Fuentes, Senior Threat Researcher at Trend Micro, discusses this trend:
"Now, access-as-a-service is the paid hot commodity. And it's also easier to get into the market. So for the exploit market, you've got to have a better reputation, you don't know what you're talking about. You need to be liked and know what you're selling. And it's harder to convince someone to purchase an exploit when they don't know it's going to work. Just because it works for this specific Microsoft product, if you buy it, it may not work for your specific Microsoft product.
Now for access-as-a-service, you're getting a username and password to a database, or to the back-end of the administrative account, to a hospital or to a bank. And then you can do whatever you want in the system, you could put ransomware in there, you could copy the database and use that database, either to sell it or to get the data and use it for phishing. Sometimes they have credit cards in there, so you could sell the credit cards and use that too.
And it's also easier to get into access-as-a-service. You can show a screenshot so you can show that you actually have access to that back end. And you don't need to have that high reputation because the prices are not, you know, in the 10s of 1,000s of dollars. Sometimes it could be as low as $200 for an online store. So people might be more willing to take a risk with $100 compared to $10,000 to buy an actual exploit."
So how much can hackers really buy network access for?
Hackers average $10,000 for access-as-a-service
Cybersecurity firm IntSights recently released a report that analyzes the sale and purchase of unauthorized access to compromised enterprise networks. It notes that access-as-a-service has become a significant enabler for ransomware attacks.
The price for network access can range quite a bit. IntSights reports the lowest asking price was $240 for a healthcare organization in Columbia, while the highest price was $95,000 for an Asian telecommunications service provider. The average price was $9,640, but the median was $3,000.
Here is what IntSights says about this type of cyber attack:
"These exchanges on underground criminal websites enable specialized actors with complementary skills and resources to increase the severity and impact of the underground criminal ecosystem and the threat actors' 'kill chain.' This specific variety of criminal market offerings is less well known than others, such as the sale of compromised payment cards from retail and hospitality breaches. This lesser-documented type of criminal market offering nonetheless deserves greater consideration because of the breadth and potential severity of its impact.
These sales of network access affect organizations in all industries and geographies. Technology and telecommunications companies are among the most common victims and often command higher prices. Criminals from around the world buy and sell network access, but, as in other aspects of the underground criminal ecosystem,
Russian-speaking criminals are the market leaders. These offerings often include a combination of remote access into a network and administrator credentials or other highly privileged accounts."
Mitigation techniques for sales of networks access
According to IntSights, here are the best practices for mitigation if you find that access to your network is for sale on the Dark Web:
- "If you receive a report that access to your network is for sale on a criminal forum, contact the security researcher that reported it. The security researcher may be able to elicit additional useful details about the breach from the seller by posing as a prospective buyer."
- "If the advertisement for access to your network specifies the persistence mechanism or privileged accounts for sale, conduct an audit of those types of accounts for suspicious activity."
- "Consult with an attorney before considering the possibility of buying back the unauthorized access to your organization's network, which may have legal implications."
- "In the event of a ransomware infection, incident response teams should determine the full scope of the breach culminating in the encryption of files. Ransomware operators typically conduct other malicious activities, such as the exfiltration of profitable data, before encrypting files."
- "Refrain from paying ransoms to ransomware operators. Many ransom payments do not result in file restoration due to technical errors or deceptive ransomware operators. Ransom payments encourage further extortion attempts and give criminals more resources for future attacks."
For more information on access-as-a-service, check out the entire SecureWorld Sessions podcast. Listen here: