Trend Micro Study: Thriving Access-as-a-Service Cybercrime Market Drives Ransomware Attacks. Germany is one of the hardest hit countries.
Trend Micro, one of the world's leading providers of cybersecurity solutions, publishes a new study shedding light on the opaque cybercrime supply chain that is driving the current rise in ransomware attacks. The demand has grown rapidly over the past two years, so that many cybercriminal markets now have their own "Access-as-a-Service" division.
Many new cybercriminal markets with “Access-as-a-Service”
The study is based on the analysis of more than 900 Access Broker listings from January up to and including August 2021 in various English and Russian-speaking cybercrime forums.
With 36 percent of advertisements worldwide, education is the industry most affected. It thus has more than three times the number of offers than the second and third most common target industries: Production and the service sector each account for 11 percent. The hardest hit countries include the United States, Spain, Germany, France and the United Kingdom. In Germany, the manufacturing industry is most affected with 28 percent of the offers, closely followed by education with 26 percent.
Incident response teams need to investigate attack chains
"The attention of the media and companies has so far been focused primarily on the ransomware payload, i.e. the transmission and encryption of the actual user data, although the main focus should first be on curbing the activities of initial access brokers (IAB)," emphasizes Richard Werner, Business Consultant at Trend Micro. “Incident response teams often need to examine two or more overlapping chains of attacks to identify the cause of a ransomware attack. This often complicates the entire incident response process. If it is possible to monitor the activities of access brokers who steal and sell company network access, the ransomware actors can be deprived of the breeding ground. For this, everyone involved in IT security must work together, because many, even large companies, are not able to do this on their own. "
The report shows three main types of access brokers
- Opportunistic sellerwho focus on quick profit and are still active in other areas of cybercrime.
- Dedicated brokers are advanced and accomplished hackers who provide access to a wide variety of companies. Their services are often used by smaller ransomware actors and groups.
- Online Storeswho offer Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) access data. These specialized shops only guarantee access to a single computer, but not to a comprehensive network or entire company. However, they do give less experienced cybercriminals a simple and automated way of gaining access. They can even search specifically for location, Internet Service Provider (ISP), operating system, port number, administrator rights or company name.
Most access broker offers contain a simple data set of access information, which can come from various sources. Common sources of data are previous security incidents and decrypted password hashes, compromised bot computers, exploited vulnerabilities in VPN gateways or web servers, and individual opportunistic attacks.
Low prices for stolen RDP accounts
The prices vary depending on the type of access (individual computer or an entire network or company), the annual turnover of the company and the amount of additional work to be performed by the buyer. While RDP access can be purchased for ten dollars, the price for administrator access data to a company is on average 8.500 dollars. For particularly attractive victims, prices can go up to $ 100.000.
Trend Micro recommends the following security strategies for defense:
- Monitor publicly known security incidents.
- Reset all user passwords if there is any suspicion that corporate credentials may be compromised.
- Use multi-factor authentication (MFA).
- Look for anomalies in user behavior.
- Pay attention to your Demilitarized Zone (DMZ) and take into account that internet-based services such as VPN, webmail and web servers are subject to constant attacks.
- Implement network and microsegmentation.
- Implement proven password guidelines.
- Proceed according to the zero trust principle.
For More Information: The full Investigating the Emerging Access-as-a-Service Market report is available in English on the Trend Micro website.
More at TrendMicro.com
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.