Ransomware operators now outsource network access exploits to speed up attacks


Ransomware operators are now turning to network access sellers in their droves to cut out a difficult step in the infection process. 

On Monday, Accenture’s Cyber Threat Intelligence (CTI) team released new research on emerging cybersecurity trends, including an investigation into the nature of relationships between ransomware operators and exploit sellers. 

According to Accenture senior security analysts Thomas Willkan and Paul Mansfield, buying network access points and already compromised ways to infiltrate a target system are rising in popularity, including the purchase of stolen credentials and vulnerabilities. 

During attacks, ransomware operators must first find an entry point into a network. Compromised employee accounts, misconfigurations in public-facing systems, and vulnerable endpoints may all be used to deploy this particular family of malicious code, leading to the encryption of files, disks, and a demand for payment in return for a decryption key. 

See also: COVID-19 pandemic delivers extraordinary array of cybersecurity challenges

It is hard to estimate how many successful ransomware attacks have taken place this year. Europol believes that these specific attacks often go unreported, with only major incidents — such as the recent death of a woman in need of urgent care who was forced to divert from Duesseldorf hospital due to a ransomware infection — becoming public knowledge. 

Paying a ransom these days can reach six-figure sums, or more, depending on the target and their estimated worth. Now, ransomware groups are seeking to cut out the initial access stage of an attack, speeding up the process — and potentially the opportunity for illicit revenue.

Network access sellers typically develop an initial vulnerability and then sell their work in underground forums for anywhere between $300 and $10,000. 

The majority of network access offerings in the underground will include the target by industry and the type of access, ranging from Citrix to Remote Desktop Protocol (RDP), and may also document the number of machines detected on the network. 

CNET: How social networks are preparing for a potential October hack-and-leak

“Since the start of 2020 and the emergence of the now-popular “ransomware with data theft and extortion” tactics, ransomware gangs have successfully utilized dark web platforms to outsource complicated aspects of a network compromise,” the researchers say. “A successful ransomware attack hinges on the development and maintenance of stable network access which comes with a higher risk of detection and requires time and effort. Access sellers fill this niche market for ransomware groups.”

As of September this year, Accenture has tracked over 25 persistent network access sellers — alongside the occasional one-off — and more are entering the market on a “weekly basis.” 

Many of the sellers are active on the same underground forums haunted by ransomware groups including Maze, NetWalker, Sodinokibi, Lockbit, and Avaddon. 

Sellers have now begun touting their offerings on single forum threads, rather than separate posts, and RDP remains a popular option for network access. In an interesting twist, rather than sell-off a zero-day vulnerability to one seller, some traders are using these unpatched bugs to exploit numerous corporate networks and sell access to threat actors in separate bundles to generate additional revenue. 

TechRepublic: COVID-19 budgets, data security, and automation are concerns of IT leaders and staff

Citrix and Pulse Secure VPN clients are also being mentioned in adverts. 

“Network access sellers are taking advantage of remote working tools as more of the workforce works from home as a result of the COVID-19 pandemic,” Accenture says. “This symbiotic relationship [sellers and cyberattackers] facilitates continuous targeting of government and corporate entities and streamlines the network compromise process, allowing cyber criminals to act quicker and more efficiently.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0




Source link

Recent articles

In Fiction, Martin Amis Summons His Literary Friends and Role Models

Throughout the book, Amis penetratingly relates the horrors of late middle age, less genteelly known as the beginning of the end. While his...

Russian budget proposal cuts near-term subsidy for CR929 | News

Russia’s government is proposing heavily reduced near-term budget allocations for the joint Russian-Chinese long-haul aircraft project, as part of a broad review of...

Hasbro’s Mando Mondays Kicks Off With New The Mandalorian Figures

Mando Mondays – an event that debuts products inspired by The Mandalorian – kicks off today! We informed you about some awesome pre-orders a little...

NEWS: Disney World’s Entrance Sign is Getting a Makeover!

As you might have noticed, we’ve been keeping an...

NASA’s OSIRIS-REx Is Overflowing with Asteroid Samples

NASA’s first-ever asteroid-sampling operation apparently went a little too well. The agency’s OSIRIS-REx probe snagged so much dirt and rock from the surface of...

There’s Now a Pinterest Widget for iOS 14

Image: PinterestI have learned that a Pinterest widget will roll out wide on iOS 14 today, and reader, I am elated.I’ve...

Leave a reply

Please enter your comment!
Please enter your name here