Home
Blog
Initial Access Brokers: Why every breach matters

Initial Access Brokers: Why every breach matters

Paul Ducklin
Paul Ducklin
08/15/2024
Share this article:

Different cybercrime groups have different interests, and different aims.

Some of them don’t probe your network or trick your users in the hope of initiating a huge campaign of intellectual property theft, or of unleashing a giant ransomware attack.

Some of them just want to find out how they could carry out those attacks if they wanted to, and then to sell that information on to cybercriminals who do.

Some cybercriminals take years to show their hand

Last week, we looked at supply chain attacks to understand just how much devious dedication some cybercrooks put into their criminality.

We revisited the astonishing story of Jia Tan, the nickname of an inscrutable attacker who spent at least a year up front ingratiating themselves into the open source community in the general field of file archiving and compression – miles away, you might think, from remote access, cryptography and network security.

But Jia Tan’s apparent dedication to data compression was a cunningly disguised, long-term effort to compromise the security-conscious OpenSSH remote access toolkit on Debian-style Linux servers.

Debian is a large and generally well-managed community Linux distro, which uses its own modified variant of OpenSSH, which uses a mainstream system management toolkit called systemd, which uses a tiny project called XZ Utils for data compression.

Deliberately and directly injecting a remote access backdoor into the official source code of the OpenSSH project itself, or into Debian’s variant of it, or into the widely-used systemd tools, would probably be very difficult, because you’d need to trick every single sceptical expert in those open-source communities into believing that your weird and suspicious changes were in everyone’s interest.

Jia Tan therefore decided that helping out in the archiving and compression community for a year or so to create a track record of apparent helpfulness, followed by months of apparently selfless ‘dedication’ to the understaffed yet widely-used XZ Utils project, would be a much easier way to slither into the supply chain.

The OpenSSH code remained untainted, as did the systemd code.

Instead, Jia Tan compromised the unassuming XZ Utils decompression code tucked in at the bottom of the pile, not to booby-trap the decompression process, which still worked just fine, but to booby-trap OpenSSH’s own remote login process indirectly.

That login process was turned into what’s known in the jargon as an unauthenticated remote code execution backdoor, which means just what it says, and is at least as terrifying as it sounds.

Two cautious years, effectively undercover, for one exploitable hole, though what a hole it was!

Fortunately, Jia Tan’s treachery was thwarted before any real harm was done, because a security-conscious Microsoft software engineer called Andres Freund stumbled across the rogue code and sounded the alarm before most Linux servers had received the poisoned update.

Some cybercriminals prefer to act with haste

Sadly, if that is the right word, not all cyberattacks require so much long-term planning and such careful ‘sleeper agent’ duplicity.

Some cybercriminal gangs seem to arrive, apparently from nowhere, in network after network, working their way into a position from which they can attack every single computer (or as many as they can find and access without getting spotted) at the same time.

Often, these criminals are part of a ransomware gang, and their aim is to create so much operational disruption by stealing and scrambling critical data that they can demand enormous blackmail payments for what they smugly refer to as “post-paid penetration testing services.”

As you probably know, many ransomware groups these days use what the legitimate business world would probably call a franchise or affiliate model.

A small core group of criminals creates and hands out new malware samples for each attack, handles the decryption keys that victims are blackmailed into buying, and keeps track of the pseduoanonymous cryptocurrency payments made by desperate victims.

Their affiliates, recruited on underground cybercrime forums, do the actual network attacks, the data stealing, and the file scrambling that leaves their victims staring down the barrel of a blackmail demand.

By keeping tight control over the decryption keys, these core crooks prevent their ‘affiliates’ from simply doing deals with their victims directly and running off with the money. (The core crooks typically take 30% of everything paid in, or at least of everything they say was paid in.)

The front-line attackers therefore don’t need to be cybersecurity specialists, elite programmers, malware researchers, or exploit developers.

The core crooks provide the malware samples, so they don’t need, and aren’t looking for, programming expertise or reverse engineering skills in their ‘franchisees’.

What the core crooks want is to attract partners-in-crime who are willing and able to go for network-wide attacks every time: affiliates know that the fewer computers on a network they miss in their attacks, the harder it is for the victims to recover on their own.

Affiliates who know how to track down backups and ruin them; how to use virtual machine (VM) consoles to get into every running guest VM on every server and scramble them all; how to figure out cultural niceties such as the naming conventions for accounts, computers and filenames so they can fit in quickly and unobtrusively; how to build a network map as good as or better than you have yourself; and how to make subtle but critical modifications to your chosen system-wide cybersecurity settings…

…they’re the sort of people whom the core ransomware criminals want to attract.

Regular and frequent: how to make millions

History suggests that some affiliates do spectacularly well out of their sysadmin skills (unless and until they get caught) by joining multiple ransomware gangs at the same time, and pulling off attack after attack for each one.

In 2022, for example, a Canadian government IT employee turned cybercriminal by the name of Sébastien Vachon-Desjardins was convicted in the US for his role in hundreds of ransomware attacks, including single-handedly carrying out an estimated one-third of the attacks associated with the infamous Netwalker cybercrime group.

Netwalker notoriously targeted organisations such as hospitals and schools; is said to have gone after more than 400 victims in more than 30 countries; and apparently raked in at least $40,000,000 in blackmail payoffs.

Vachon-Desjardins pleaded guilty and was given a 20-year prison sentence, with the judge apparently telling him that he would have received a life sentence were it not for his guilty plea, given the wide and devastating impact of his self-serving criminality.

In a previous case brought against him in Canada, he had already received a seven-year sentence for ransomware attacks against 17 different Canadian companies.

The Canadians almost immediately released him from prison, but only so he could be extradited to the US; on being deported after finishing his 20 years, he will return to prison in Canada to see out his seven-stretch.

When caught in Canada, Vachon-Desjardins was found to have $28 million in Bitcoin and $500,000 in cash, all of which he agreed to forfeit as part of pleading guilty.

Buy, don’t build

If Vachon-Desjardins indeed carried out 33% of Netwalker’s estimated 400 attacks himself, apparently over a period of less than a year (the first attack documented in his US trial took place at the end of April 2020; he was arrested in Quebec, Canada, when his ill-gotten gains were seized, in January 2021), then he managed to ransom more than 130 networks in that time, or approximately one every two days.

Cybercriminals such as Vachon-Desjardins who have decided that their ‘career ambition’ is to take over other people’s networks, stealing and scrambling data as a way to extort money, therefore generally don’t have enough time, even if they have the expertise, to do the reconnaissance or the exploit development needed to figure out a reliable way in to start with.

Instead, they can buy, rather than build, what they need, by finding a willing seller on the dark web whose penchant is acquiring and dealing in information on how to get into other people’s digital lives.

These criminals are known in the jargon as Initial Access Brokers, or IABs for short, an unfortunate name that makes their activities sound like a legitimate career choice, but they are more bluntly described simply as cybercrooks who enable other crooks to break-and-enter in the first place.

The information IABs sell typically includes a wide range of ready-to-use attack enablers: passwords for online accounts containing corporate data; access to remote login portals such as VPNs; details of exploitable online devices that haven’t yet been patched; outdated or incorrectly configured systems that were supposed to have been shut down and retired but never were; and more.

Many different ways to find a way in

There are many different sources that criminals can use to winkle out these attack enablers, including:

  • Keylogging malware. Generally speaking, software on your own computer can easily keep track of what you type. Legitimate tools of this sort, of course, can be very useful. For example, keyboard utilities can improve accessibility for people with limited mobility, and password managers can magically type in strong passwords for you at the right moment. Unfortunately, rogue keyloggers can just as easily extract likely passwords and send them to the crooks who distributed the malware in the first place.
  • Bots and zombies. Remote access malware, often known as bots (short for software robots) and zombies (because they can be remotely awakened to run unauthorised commands), almost always includes a ‘feature’ that allows crooks outside your network to instruct an infected computer to download yet more malware and run it. So-called botherders often follow a ‘pay-to-install’ model whereby crooks such as ransomware affiliates can stump up a fee to have malware or other attack tools of their choice injected directly into someone else’s network.
  • Phishing scams. These are often extremely simple to carry out, yet still surprisingly effective. Phishers typically spam millions or tens of millions of recipients with links to fake login pages, often automatically cloned from the site they are impersonating to make them visually convincing. Users who don’t notice the subterfuge therefore risk handing their access credentials directly to the crooks instead of to the site they think they’re logging into.
  • Vulnerability scans. When security patches come out, meaning that vendors have fixed bugs that either are or might be exploitable, the security holes involved are therefore unavoidably announced to everyone, including the cybercrime underground. Unfortunately, criminals can often use public information, including analysis and proof-of-concept code published by legitimate security companies, not only to develop exploits of their own for actual break-ins, but also to probe computers all across the internet to create a surprisingly accurate directory of vulnerable systems, either for their own use or to sell on.
  • Network trawling. Modern search engines don’t just build indexes that help users find likely or popular search terms, but also provide cross-references even for words or text strings that occur just once on the internet. Carefully chosen search terms may therefore uncover private databases that have inadvertently been backed up into the cloud but not locked down. This sort of ‘lost in plain sight’ data leak potentially leaves millions of related items ready to be downloaded by anyone who can figure out a giveaway search term to zoom in on the unsecured data the first place.
  • Insider corruption. Insider threats in which staff are approached and paid by criminals to reveal passwords or to make unauthorised changes to system configurations are thankfully quite rare, but not unknown. In 2021, for example, Muhammad Fahd, who had been extradited from Hong Kong to stand trial in the US, was sentenced to 12 years in prison for a long-running scam in which he and an accomplice (who apparently died before he could be prosecuted) paid out hundreds of thousands of dollars in cash bribes to AT&T insiders in the US both to implant malware on AT&T’s network and to access AT&T systems to unlock phones without authorisation.
  • Data breaches. Ironically, many ransomware gangs these days steal huge amounts of their victims’ data before unleashing the file-scrambling part of each attack, in order to give themselves additional blackmail leverage. If you pay up, the criminals promise not only to send you the decryption keys you need to get your business up and running again, but also to delete the stolen data instead of passing it on. Victims who don’t pay up often have this stolen data either sold ‘at auction’, or deliberately dumped publicly so that scavengers can hunt through it for information including access codes for breaking in.
Initial Access Brokers: Why every breach matters - SolCyber
Initial Access Brokers: Why every breach matters - SolCyber

What to do?

Cyberattacks aren’t always immediately preceded by hostile surveillance activity aimed at finding a way in.

Similarly, signs of hostile surveillance may apparently peter out and not immediately be followed by a related attack, because the criminal groups involved in each of these stages may be completely different.

Initial Access Brokers typically acquire ‘how to get in’ information from one set of sources, either through their own work or by buying it in themselves, and then negotiate to sell some or all of that information on to attackers who are willing to pay for what amounts to access-on-demand to victims of their choosing.

As you can imagine, this not only makes attacks quicker and easier even for non-technical cybercriminals to initiate, but also serves to decouple the various stages of the attack, thus making them harder to detect in advance or to investigate and unravel after the fact.

Here are some tips to defend yourself:

  • Patch early, patch often. Don’t be caught off guard by attacks you could have prevented by patching promptly.
  • Invest in building a cybersecurity culture. Don’t rely on AI and automation alone, because this won’t build any resilience against the human issues involved in many attacks, such as phishing mistakes, data-sharing blunders, and social engineering in which criminals are able to coerce or persuade staff to do the wrong thing while they are already logged in.
  • Keep on top of your endpoint security reports. If you can’t identify security problems when they first appear, you can’t make sure that they haven’t opened you up to follow-on attacks at some unpredictable time in the future.
  • Remember that every breach matters, no matter how minor. Data that was stolen today may have been acquired by attackers whose entire goal was to sell it on to crooks in a different part of the cybercrime ecosystem, rather than to exploit it immediately for themselves.
  • Don’t be afraid to ask for help. Staying on top of cybersecurity incidents as they occur is hard enough on its own, even before you work on improving your internal security culture.

Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

Initial Access Brokers: Why every breach matters - SolCyber

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Featured image by @moneyphotos via Unsplash.

Paul Ducklin
Paul Ducklin
08/15/2024
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2024
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

8991