Hot Offering on Darknet: Access to Corporate Networks
More Ads Offer Access for a Substantial Price: Positive Technologies
The number of darknet forum advertisements offering full access to corporate networks jumped almost 70% during the first quarter of 2020, compared to the previous quarter, posing a significant potential risk to corporations and their now remote workforces, according to security firm Positive Technologies
Late last year, cybercriminals began to shift their focus from buying access to specific corporate servers, sometimes for as little as $20, to purchasing the ability to gain full network-level access, Positive Technologies says. The number of darknet ads for corporate network climbed to 88 in the first quarter of this year, compared to 50 in the fourth quarter, according to the company’s report published Wednesday.
Network-level access is generally priced between $2,500 and $10,000, but the price can go as high as $100,000, the report notes.
“Most likely, [criminal] cryptographic operators served as the growth driver, when switching their focus of attention from individuals to large companies, and their affiliates started buying large amounts of accesses to company networks,” Vadim Solovyov, senior analyst for Positive Technologies, tells Information Media Security Group.
Network access credentials being sold on the darknet likely were acquired through phishing, brute force attacks and login stealing malware, the report states. Also offered for sale on the darknet are details about how to exploit software vulnerabilities that would allow network access, along with remote access Trojan, or RAT, malware.
The increased availability of credentials and other details needed to gain access to corporate networks means that low-skilled threat actors can potential more easily target large organizations, according to the report.
“This issue is especially acute now that so many employees are working from home,” the report notes. “Hackers will look for any and all security lapses on the network perimeter, such as an unprotected web application, non-updated software, or incorrectly configured server with a weak administrator password.”
Positive Technologies notes that some of the network access information is being sold on a commission basis, with the buyer paying back up to 30% of any profit made to the seller when access is gained to an organization and monetized through ransomware or another type of attack.
Example of access points for sale (Source: Positive Technologies)
Positive Technologies says ransomware operators sometimes buy network access credentials from one set of criminals and then hire others to infect local networks with malware in return for a large percentage of the victim’s ransom. On darknet forums, this setup is known as a “ransomware affiliate program,” the report states (see: Ransomware Attackers Exfiltrate Data From Magellan Health).
“However, in this case, it’s not only ransomware that’s possible,” Solovyov says. “Corporate level access can be used by malefactors in a wide range of actions – from mass attacks aimed at creating botnets or mining farms, to more targeted attacks on specific industries, or even on individual companies for stealing data or money.”