The term "Access-as-a-service" (AaaS) refers to a new business model in the underground world of cybercrime in which threat actors sell one-time methods to gain access to networks to infiltrate networks for as little as one dollar.
One group of criminals, which are known as access brokers, initial access brokers, and initial access traders (IABs), are stealing credentials of enterprise users and selling them to other groups of attackers. There are also encryption tools that can be used by these buyers to secretly exfiltrate your personal information from the target organization using malware-as-a-service (MaaS) or ransomware-as-a-service (RaaS).
Cybercrime-as-a-service (CaaS) is a growing trend that is increasingly being used as a platform for committing crimes.
A significant portion of the evolution of ransomware attacks over the last decade has taken place at both the technological level and organizational level as threat actors have attempted to expand the scope and profitability of their operations.
A pivotal factor behind the widespread increase in the frequency and complexity of ransomware attacks can be attributed to the provision of ransomware as a service (RaaS). RaaS, which operates much like SaaS, and involves the creation of ransomware capabilities and selling or leasing them to buyers, has lowered the barrier to entry for the extortion business and provided a simpler and more accessible model.
There are now a number of operators working together in unison to orchestrate the attacks in order to achieve the goal, including Users, Affiliates, and Initial Access Brokers, who act as a cohesive team.
According to the recent report, "Rise of Initial Access Brokers", these intermediaries, which are the first to get access to cyberattack victims, are playing a key role at the top of the kill-chain funnel of cyberattacks.
An independent analysis bureau (IAB) can be defined as a de facto intermediary whose business model is exactly what their name suggests: they breach the networks of as many companies as they are able to. Upon accessing victims, they then sell to the highest bidders at the highest prices. There is a tendency for ransomware groups to buy the ransomware from the buyers.
A growing number of independent advisory boards have been formed recently mainly as a result of the pandemic and the ensuing migration to work from home. As a result of workers log in remotely and connecting to untrustworthy Wi-Fi networks, untrustworthy Wi-Fi networks can be exploited to allow attackers to gain access to systems.
There is a growing trend among cybercriminals of scanning at scale for vulnerabilities that will allow them to access remote systems, such as virtual private networks (VPNs) and selling this access to their victims.
Once the details of a vulnerability are made public, the Information Assurance Business deploys info stealers to gather keystrokes, session cookies, credentials, screenshots and video recordings, local information, browser history, bookmarks, and clipboard material from the compromised device as soon as the details are made public.
As soon as an information stealer is installed in an organization or system, a remote access Trojan (RAT) will begin to collect raw log files to log information.
As a result, these logs are manually reviewed to identify usernames and passwords that may be used to sell or monetize identities on the Dark Web. This means that IABs are seeking login credentials to access virtual private networks (VPNs), remote desktop protocols (RDPs), Web applications, and email servers that will aid in the recruitment of spear phishing scammers and potential business email compromise schemes.
Occasionally, some brokers have direct contact with system administrators or end users who may be willing to sell access to their systems directly through them.
Threat groups have been advertising (on the Dark Web) in recent months for administrators and end users who are willing to share their credentials with them in exchange for large amounts of cryptocurrency in exchange for sharing credentials for a few minutes.
Threat groups have contacted employees from specific organizations to obtain access to their systems in exchange for larger payments.
It is safe to say that initial access brokers have taken the spotlight in the past year because they have demonstrated a significant ability to facilitate network intrusions by ransomware affiliates and operators, and they have been very successful at it. As the cybercrime underground ecosystem becomes more active and popular, these initial access brokers ("IABs") will continue to gain popularity as the cybercrime underground ecosystem grows.
A Guide to Defending Against Access Brokers
Users should identify their attack surface and develop a plan to address it, to close security gaps, security teams must gain an outside-in perspective on their entire enterprise attack surface. Empower user security teams to map their assets, visualize attack paths, and define plans to address them so that they can close the gaps.
Identity protection should be considered a priority, today, plenty of malware-free attacks, social engineering, and similar attempts have been made to steal and use credentials, making it crucial that strong identity protection is implemented.
Employees need to be taught about social media, not just how to use it.
Avoid announcing department closures or IT service changes on social media, and remind them to refrain from sharing private information on social media. Users should train their staff not to share credentials over support calls, emails, or support tickets.
Finally, users should avoid publishing executive or IT contact information on their company's website — it might facilitate impersonation attempts on their behalf.
To protect the cloud, a strong cloud protection strategy is required. There have been increasing attacks on cloud infrastructure and attackers have been employing a variety of tactics, techniques, and procedures to compromise cloud-based data and applications that are critical to businesses.
The role of IABs in the realm of RaaS (Ransomware-as-a-Service) is continuously evolving. By understanding and keeping up with their shifting tactics, methods, and trends, organizations can better prepare themselves to effectively mitigate the risk and impact of ransomware attacks. As IABs continually remodel and refine their strategies, it becomes increasingly crucial for organizations to adopt and implement robust security measures.
Strengthening the security of the supply chain, implementing multi-factor authentication across all systems and platforms, deploying advanced threat-hunting solutions to proactively detect and prevent attacks, and conducting regular and comprehensive training sessions for employees are key steps that organizations should take to effectively mitigate the growing threat posed by IABs.