As ransomware-as-a-service (RaaS) affiliates continue to make headlines with attacks on big-name organizations such as Continental and Advanced, it is worth paying some attention to the less eye-catching entities that enable these attacks, by selling access to compromised networks: Initial access brokers (IABs).

In this post, we’ll learn more about how IABs and RaaS affiliates work together, the tools and techniques IABs use to break into corporate networks, and how you can detect (and kick out!) IABs lurking on your systems.

How IABs work

At the top of the RaaS food chain are RaaS vendors, sophisticated criminal enterprises that develop and sell ransomware, along with the infrastructure necessary to conduct ransom negotiations and data leaks.

RaaS gangs such as Lockit, BlackBasta, and AvosLocker (which we cover in our monthly ransomware review) don’t make money by breaking into networks and deploying ransomware themselves. Instead, their ransomware is sold to affiliates—groups who actually carry out ransomware attacks on organizations.

Affiliates specialize in moving through networks and deploying ransomware, which is a very different task to finding and compromising the vulnerable networks in the first place. So many affiliates outsource the initial breaking-and-entering to others: IABs.

“IABs can be anywhere from individual mercenaries to parts of a much larger organization,” says Jerome Segura, Sr. Director, Threat Intelligence at Malwarebytes. “But those that are tied specifically to ransomware tend to be working for a RaaS gang.” 

Once IABs have access to a network, they don’t go any further with it—there is far more risk involved with launching a full-on attack. Instead, independent brokers will advertise their stolen access on dark web forums, where their asking price will ultimately depend on the type and size of company they have access to, and the kind of access they have.

“IABs will typically give the access they get to somebody else,” says Segura. “They may also do some additional kind of probing to prove they broke into so-and-so server that belongs to a so-and-so company. And in terms of leverage, there’s a big difference between having access to a network with, say, 1000 machines versus a company that looks like they have maybe 50 users.”

“So that's the second phase for IABs, giving access to another group of attackers, which could be within the same criminal organization,” Segura says. “Independent IABs, on the other hand, will go on underground forums to publicize and sell access.”

3 ways IABs compromise networks

Segura mentions that the methods IABs use to break into corporate networks broadly fall into one of three camps: Phishing, password guessing, and exploiting vulnerabilities.

1. Malicious emails 

Phishing has been a go-to techniqe for breaking in to corporate networks for decades. All it takes is one convincing email to one employee, pointing them to a URL where they can enter their login credentials. This year, 82% of breaches in Verizon's 2022 Data Breach Investigation Report (DBIR) involved the human element—with phishing accounting for over 60% of social engineering data breaches. 

Many corporate environments have a VPN setup which allows their employees to work from home. If they can steal an employee's password, an IAB can log in to that VPN and explore the employer's network.

Alternatively, the email itself could carry an attachment, perhaps disguised as a spreadsheet, presentation or invoice, that drops malware on to the recipient’s machine. That malware, typically a trojan, can be used to move laterally inside a network, and to download other malicious software. The trojan creates persistent access for the IAB that can be sold on.

2. Guessing passwords

Another technique IABs rely on is brute force password guessing. When cybercriminals use automated tools to guess passwords for Internet-facing systems like VPNs, RDP, or SSH.

RDP allows you to remotely access another computer, making it a great tool for remote workers. Unfortunately, if you can access another computer online simply by entering the right credentials, so can IABs! 

Millions of RDP login screens like this are accessible on the Internet

3. Exploiting vulnerabilities

Lastly, IABs can exploit security vulnerabilities in a company's IT infrastructure to gain access to their network.

The road to exploiting a vulnerability starts with scanning for IP addresses with open ports, and trying to identify services running software with unpatched vulnerabilities.

“IABs can find victims using tools like Shodan, which is like a Google search engine for vulnerable servers,” says Segura. “That way they don’t have to go probing the entire Internet for victims, they can kind of cut to the chase by getting a nice list of potentially vulnerable IPs and attacking those.”

The criminals who do this aren't discovering new vulnerabilities, they are almost always testing for well known vulnerabilities, such as Log4Shell or ProxyLogon, that could have been patched haven't been.

Keeping IABs out

It goes without saying that you should implement measures to keep out IABs, such as employee phishing training, brute force protection, and timely vulnerability and patch management.

In addition to the above solutions, Segura also mentions the supreme importance of following the principle of least privilege—granting users only the permissions they need, and nothing more.

“One of the issues with a lot of companies is that pretty much everybody has access to everything,” Segura says. “So you're basically an admin on that domain, even though you’re an intern. And that's very dangerous because once an attacker has that initial access, they'll try to gain further access within the company's network.”

Regardless of the prevention techniques you use, it is always wise to assume an IAB attack will be successful eventually. It is important to detect IABs as soon as possible after they enter your network because as soon as they get in you are in a race against time, as Segura explains:

“Maybe a few years ago, you could have an initial access and then have weeks or months go by. Generally speaking nowadays, that timeframe has really shrunk,” says Segura. “From initial access to full compromise, you're talking about more like days, sometimes a week or two.”

To potentially catch IABs early on, Segura mentions implementing a honey account, or fake accounts deliberately set up to be attractive to an attacker for compromise. For example, an account with admin level privileges.

“Another idea is to create some dummy accounts, or also called honey accounts,” Segura says. “You make up some email addresses or certain credentials, and because it's a fake and nobody should know about them, if anybody tries to log in with those credentials, that's a sign that you've been breached.”

Ultimately, however, detecting IABs as early as possible is all about 24/7 monitoring of your network and proactive cyber threat hunting based on past (and newly reported) indicators of compromise (IOCs).

Segura: “The real difficult work, which nobody likes to do, is looking at logs. Because if there is a breach of your network, it will be logged somewhere. You may not know where, but it will be logged somewhere. And that’s why continuous monitoring of your network is so important.”

For organizations that don't have a Security Operations Center (SOC) operated 24/7 by a team of seasoned experts, finding and weeding out threats like IABs may be next to impossible. To cover that gap, Managed detection and response (MDR) can help you handle the deep analysis, triage, and response required to stop intruders from turning network access into a successful ransomware attack.

More resources