Major ransomware attacks can start with endpoint access purchased for cheap by bad actors on underground markets.
The first stage of an active cyberattack is initial access, which is the establishment of an initial foothold within a network. This step is difficult to perform, and therefore many aspiring attackers can purchase network access from threat actors with specialized skills.
In our newly released report Wholesale Access Markets & Ransomware – A $10 investment for millions in return, we delve into the intricacies of network access for sale on the underground. As we share in the report, there are two broad options for access for sale: initial access brokers (IABs), which auction access to companies for hundreds to thousands of dollars, or wholesale access markets (WAMs), which sell access to compromised endpoints or their password data for a mere $10.
WAMs are similar to digital flea markets, with low prices, large inventory (they listed access to ~4.3 million endpoints in 2021), and little guarantee that access is persistent. Furthermore, many market listings could belong to a random individual user, which is of lesser value to attackers.
However, if an attacker purchases access to an endpoint that belongs to an enterprise network, it can be the diamond-in-the-rough that can open the door to a larger attack.. This is allegedly what happened in the breach of Uber, in which an attacker purchased access to a compromised endpoint on one of these markets.
According to some researchers, this compromised endpoint included access to Uber’s Onelogin identity and access management platform, and attackers used this to penetrate further into the network.
Indeed, in our research we discovered that we can attribute WAM listings to an enterprise based on analyzing SaaS logins in the listing. For-sale systems logged into enterprise software (for example, Slack and Jira) presumably belong to an enterprise whose name is mentioned in the URL.
Accordingly, in the WAM listing below, which may have been the beginning of the Uber attack, we can see that access to Uber’s Onelogin account is for sale:
With this in mind, we sought to understand if any major ransomware attacks may have began with purchase of access from these markets. To do so, Cybersixgill investigated over 3,600 attacks from ransomware leak sites in 2021 and correlated the victimized companies with resources mentioned in WAM listings prior to the attack. We found that in 19% of the ransomware incidents, access to a system logged in to the organization’s domain had been offered for sale on a WAM within 180 days before the attack. (Note that this figure includes external-facing accounts, such as partners and customers.)
Taking this a step further, we looked for logins that included enterprise resources, which signify internal systems. Out of the entire data set, in 85 incidents access to an internal machine belonging to the victimized enterprise was sold within 30 days of the attack. While only the forensics teams with access to internal network logs can determine exactly how the adversary entered the system, any of these 85 attacks might have been the point-of-entry for attacks that each netted the hackers millions of dollars.
In our assessment, therefore, WAMs are one of the leading sources of access for ransomware attackers as well asfor other types of attacks, such as data breaches, social engineering, use of computing resources, and sabotage. As long as WAMs continue to operate, the most effective way for defenders to block threats emanating from them is to monitor their assets, to ensure that if access to one of their endpoints goes up for sale, they will know immediately.
Download our report to learn more about WAMs and how you can protect your organization from attackers.