1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

11/18/2021

0 Comments

The Rise of Internet Access Brokers

 
internet access brokers

The Rise of Internet Access Brokers

Researchers from BlackBerry Research & Intelligence Team recently discovered three separate threat groups using the same IT infrastructure maintained by a threat actor dubbed as Zebra2104, which the researchers believe to be an Initial Access Broker.

What Is an Initial Access Broker?

As the name denotes, an Initial Access Broker either buys or sells goods or assets for others. In this case, what is being bought or sold for others is the initial access to the victim’s network.

Once an Initial Access Broker has access to an organization’s network, the broker then advertises this initial access to prospective buyers in the underground forums on the dark web. Initial Access Brokers typically sell access to the victim’s network to the highest bidder on underground forums. The winning bidder then deploys ransomware or other malicious software (malware) to steal or snoop the victim’s critical data.

Initial Access Broker is the first kill chain of many cyberattacks, including ransomware attacks. Initial access to victims’ networks comes in different forms. These include access to vulnerable and internet exposed remote desktop protocol (RDP) and virtual private network (VPN).

VPN, in principle, establishes a protected network connection when using public networks. In the past few years, a number of vulnerabilities have been discovered in many VPN products. RDP, short for remote desktop protocol, is a network communications protocol developed by Microsoft, allowing a computer user to remotely connect to another computer.

In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks", Microsoft Defender Security Research Team said that computers with RDP exposed to the internet are an attractive target for attackers as they offer attackers a simple and effective way to gain access to a network. According to Microsoft Defender Security Research Team, brute-forcing RDP doesn’t need a high level of expertise or the use of exploits.

“RDP connections almost always take place at port 3389, and attackers can assume that this is the port in use and target it to carry out man-in-the-middle attempts, amongst other attacks,” Digital Shadows researchers said in the blog post “Initial Access Brokers In Q3 2021”.

Digital Shadows researchers reported that during the third quarter of 2021, RDP and VPN continued to be the access of choice for Initial Access Brokers. During the third quarter of 2021, the average price for VPN was $1869, while the average price for RDP was $1902. According to Digital Shadows researchers, RDP and VPN were also the most popular access of choice for Initial Access Brokers Q1 and Q2 2021.

“This [popularity of RDP and VPN] is likely due to a combination of the increased use of both technologies as a result of the COVID-19 pandemic and the opportunities afforded to an actor purchasing a VPN or RDP access,” Digital Shadows researchers said.

Digital Shadows researchers added that the VPN-RDP combination – referring to access type that uses VPN access to a victim’s RDP dedicated server – was significantly more expensive in Q3 than the last quarter. “It’s realistically possible that this access type [VPN-RDP] may represent a more secure method of gaining access to targeted networks, and as a result, become more desirable for interested actors,” Digital Shadows researchers said.

Digital Shadows researchers reported that Initial Access Brokers are advertising various accesses to RAMP (Ransom Anon Mark Place), a recently relaunched Russian-language cybercriminal forum.

Zebra2104

In the blog post "Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware", BlackBerry researchers said they uncovered a connection between the criminal activities of three distinct threat groups, MountLocker, Phobos, and StrongPity. “While it might seem implausible for criminal groups to be sharing resources, we found these groups [MountLocker, Phobos, and StrongPity] had a connection that is enabled by a fourth; a threat actor we have dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB),” BlackBerry researchers said.

MountLocker is a ransomware group that has been active since July of 2020. Phobos is another ransomware group that was first seen in early 2019. Phobos has been victimizing small-to-medium-sized organizations across a variety of industries. StrongPity, also known as Promethium, is an espionage group that has been active since at least 2012.

According to BlackBerry researchers, a single domain led them down a path where they uncovered multiple ransomware attacks by MountLocker, Phobos, and a command-and-control (C2) of StrongPity. “The path also revealed what we believe to be the infrastructure of an IAB: Zebra2104,” BlackBerry researchers said.

Cybersecurity Best Practices

Cybercrime groups nowadays mimic multinational organizations’ business models. Similar to multinational organizations, cybercrime groups establish partnerships and alliances with other organizations, in this case, with Initial Access Brokers.

Considering that RDP and VPN are the popular initial accesses, it’s important to guard these two gateways. Here are some of the best practices to guard RDP and VPN:

  • Keep operating systems and VPN up to date. For instance, in the past, Microsoft included in its updates patches to known vulnerabilities of RDP. VPN vendors, meanwhile, have released patches to known vulnerabilities to their VPN products.
  • Use strong passwords for RDP and VPN.
  • Use multi-factor authentication (MFA) for RDP and VPN to add an extra layer of protection in addition to a mere password.
  • Practice network segmentation. In network segmentation, your organization’s network is subdivided into subnetworks. Organizations that use VPN access to RDP dedicated server benefit by separating this subnetwork from the other critical subnetworks. In a segmented network, criminals who have already compromised an internet-exposed VPN-RDP will be prevented from escalating their malicious activities to other critical subnetworks.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit