Initial Access Brokers How They’re Changing Cybercrime

Cyber Threat Intelligence thumbnail

Cybercriminals are becoming faster and more effective at stealing your money. And they're doing it by using highly specialized workers in a new business model that rivals any legitimate tech company you might see today. As an example, the Conti Ransomware-as-a-Service (RaaS) gang hired "Coders," "Testers," "Penetration Testers," and other personnel to fulfill various aspects of the "business." Conti's handlers even gave each of these departments its own budget to use as necessary.

Such specialization is also evident in many criminal organizations' use of Initial Access Brokers (IABs). In this blog post, we examine these actors in more detail. We break down what IABs do and how their activities are changing the cybercriminal ecosystem. We also provide tips that you can use to defend yourself against IABs.

What Are Initial Access Brokers?

IABs are a growing part of the cybercriminal ecosystem because of what they offer. At a high level, IABs are cyber threat actors (CTAs) who seek to procure access to your network and sell them to other CTAs. One of the most common types of buyers is the cybercriminal who uses network access for financial gain. However, IABs sell to all types of CTAs, including nation-state actors.

Such network access can take on various forms. For instance, there's access to cPanel and other types of control panels. A buyer of this type of access can potentially search web hosting content for payment card information. Web shell access is another common offering of IABs, as it helps to facilitate quiet access to a compromised web server.

Even so, IABs most commonly turn to Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) technology. Often, these are the most convenient means of access to your network. Take VPNs as an example. Researchers have discovered many vulnerabilities affecting various VPN services in recent years. IABs could exploit those flaws to gain and later sell network access. As for RDP, CTAs could use scanning tools like Shodan to look for networks with RDP ports open to the internet. CTAs could then brute force the username and password, leverage stolen login information for a credential stuffing attack, and employ other attack techniques to gain access to vulnerable RDP instances.

How an IAB ultimately gains access is limited only by their imagination. As an example, Curated Intel designed a graphic that shows the many options open to IABs.

The Impact of IABs on Ransomware Attacks

In general, IABs are helping ransomware operations, particularly RaaS schemes, to streamline their attacks and reduce their workload at the beginning of an attack. IABs offload the difficult work of finding targets and gaining access. In doing so, they enable ransomware groups to attack at scale because they're not wasting time trying to secure a foothold in target networks, such as yours. They can immediately procure that access via an IAB and get to work encrypting your data.

With certain RaaS groups, the benefit of working with IABs goes a step further. Evidence suggests that some IABs work directly for ransomware groups or affiliates of RaaS groups. This significantly speeds up a ransomware attack, as affiliates can leverage procured access and jump almost immediately to conducting their attack rather than wasting time gaining access. The IAB passes access to the affiliate, who then launches the attack, infects your network, and in turn passes things off to other parts of the operation to cash out.

Such direct collaboration doesn't just benefit RaaS groups. It also helps IABs. As discussed by, IABs who are working for RaaS groups don't need to advertise their services publicly on underground forums. They already have steady work, so there's no need to market for more. This comes with the added bonus of less public visibility, which provides cover when law enforcement shuts down a marketplace and goes after its members.

How to Defend Against Initial Access Brokers

The IAB market in general is undergoing some changes. Specifically, we found that the prices offered by IABs for network access are dropping. Our hypothesis for why is twofold. First, CTAs might not want to buy access for higher value targets of IABs. Given operational disruptions in recent years, many ransomware groups especially don't want the attention of law enforcement and national governments. Second, there could be oversaturation. IABs are so active that they're looking to get access to essentially anyone and everyone. As they continue to align with ransomware groups, we expect this activity to increase going forward.

Take a closer look at how the CIS SOC serves our members.



Your organization must be prepared to protect itself against IABs. On your own, you want to review the ways in which IABs can access your network, reduce the attack surface where you can, and harden existing entry points that could be exploited. As part of this process, conducting periodic penetration tests is a helpful way to assess your current security posture, learn about your vulnerabilities, and improve your defenses. Additionally, you can use a vulnerability management program that involves frequent enough patching to not leave yourself exposed to critical vulnerabilities that IABs exploit. You can also harden your RDP, VPN, and other points of access using credential lockout policies that lock someone out if they attempt a brute force attack. Finally, you can use multi-factor authentication (MFA), access controls, and the principle of least privilege to limit access to key resources and protect work accounts.

If you're a U.S. State, Local, Tribal, and Territorial (SLTT) government organization, you can also choose to work with the MS-ISAC. We actively monitor for compromised credentials associated with SLTTs and partner organizations. Additionally, our teams seek out potentially vulnerable systems and applications that could impact our members. When we find them, our 24x7x365 Security Operations Center (SOC) will notify you and offer assistance in remediation.

We have an indicator sharing program that will share Indicators of Compromise (IoCs) with you. That way, you can receive and take action on alerts associated with information-stealing malware, which is a common IAB attack technique. You can also enroll in the U.S. Cybersecurity & Infrastructure Security Agency's (CISA's) Cyber Hygiene Services (CyHy). Available at no cost to SLTT, these offerings can help you proactively scan your networks, figure out where you're vulnerable, and take the necessary actions before IABs exploit those weaknesses to their advantage. Finally, as an MS-ISAC member, you can use a free CIS SecureSuite Membership to optimize your use of the CIS Critical Security Controls, security best practices which are proven to defend against ransomware and other threats by the CIS Community Defense Model.

About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.