Cybercrime is an economy, and as with every economy, there are brokers. Initial access brokers (IABs) are a key piece of the criminal market: they specialize in selling access to compromised systems to other criminals. IABs make many attacks and data breaches possible by selling information to less skilled cybercriminals. How can you stop them from selling your data?
How Flare Monitors Initial Access Brokers
How can Flare use threat intelligence to monitor IABs?
Flare automates the process of scanning for external threat exposures. By detecting them faster with Flare, security teams can better address mitigation.
Why use Flare to monitor initial access brokers?
The second piece of defending against access brokers is knowing if they are actually selling your information. By scanning the places where criminals gather to buy and sell illicit data (such as the dark web and prominent threat actor communities), Flare provides your organization with insights about the transactions that are taking place. As soon as your information appears where it shouldn’t be, Flare will notify your team.
What do you get with Flare’s solution?
- Automated continuous monitoring: By using an automated solution you get 24/7 coverage of your threat exposures, so you will know as soon as there’s a threat.
- Relevant notifications: Flare cuts through the noise, sending you alerts when it detects your organization’s name, employees’ names, domains, IP, or any other key data.
- Proactive cybersecurity: By scanning for potential threats, you can catch breaches early and take steps to protect your data, systems, and networks from would-be attackers.
Flare has conducted research on IAB posts in the Russian hacking forum Exploit, where we observed malicious actors selling access to companies across dozens of industries including defense, energy, manufacturing, and telecommunications.
Keep reading about IABs below, and to check out our report on IABs: Initial Access Brokers, Russian Hacking Forums, and the Underground Corporate Access Economy.
Initial Access Brokers: An Overview
What are initial access brokers?
Initial access brokers (IABs) are cybercriminals who specialize in obtaining and selling access to compromised networks, systems, or accounts. Like any broker, an IAB acts as an intermediary between the criminals who’ve gained access to a target and those who wish to exploit that access by deploying ransomware, stealing data, or conducting further network exploitation. By bringing buyers and sellers together, they have become a linchpin of the cybercrime economy.
Where do IABs sell information?
Initial access brokers operate primarily in the shadows of the internet, using various platforms and methods to conduct their activities. Here are some of the key environments and platforms they use:
- Dark web marketplaces: IABs frequently use dark web marketplaces to advertise and sell access to compromised systems. These marketplaces provide a level of anonymity and security, making them ideal for illegal transactions.
- Underground forums: Cybercriminal forums, often accessible only by invitation or through specific networks, are common places where IABs offer their services. These forums can range from general cybercrime discussions to specialized groups.
- Encrypted messaging apps: Platforms like Telegram, Signal, and Discord are often used by IABs for communication and transactions. These apps provide encrypted communication channels, making it harder for law enforcement to track their activities.
How do IABs get access to your networks?
IABs focus on gaining unauthorized access to networks by using various techniques, including:
- Phishing emails
- Brute-force attacks
- Password spraying
- Social engineering
Why are IABs a threat to your business?
IABs are dangerous for many reasons — they enable espionage, fraud, and disruption of business operations. However, one of the biggest threats of access brokers is their role in enabling ransomware attacks. By selling access to networks, they provide ransomware operators with the initial foothold they need to deploy their malware, potentially leading to significant financial losses, operational disruptions, and reputational damage.
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
Why should you be concerned about initial access brokers now?
Why is it important to understand IABs in today’s cybersecurity landscape?
Reporting by Flare shows that IABs are increasingly targeting entities within NATO member states, underscoring brokers’ extensive reach and the consistent potential threat they pose to national security and economic stability. While IABs are targeting a range of industries, there’s a clear trend of IABs targeting critical infrastructure as well as state-related industries, like the U.S. defense sector.
How have initial access brokers changed cybercrime?
IABs lower the barrier to entry for many types of cybercrime, making it easier for a wider range of threat actors to engage in malicious activities. This increases the overall threat landscape and complicates cybersecurity defenses. IABs also set prices, work directly with ransomware gangs, and are otherwise able to influence the criminal market.
IABs and the Ransomware-as-a-Service (RaaS) Ecosystem
How can IABs make money outside of directly attacking companies?
IABs are not a new type of threat actor, but they are becoming more sought after among the threat actor underground community. As organizations accelerated their cloud strategies, initial network access became increasingly important to malicious actors. Since IABs have a specialized skill set, they can make more money selling credentials to other threat actors than they would make if they perpetrated their own attacks.
The RaaS Model
The RaaS model mimics the Software-as-a-Service model, meaning that malicious actors sell ransomware packages and the associated infrastructure to other cybercriminals with two primary stakeholder identities:
- Operator: creates and sells the malicious code, campaign infrastructure, and services
- Affiliate: purchases the ransomware and deploys the attack
By selling the ransomware, the operators make more money than if they deployed it themselves. Meanwhile, it allows less technically experienced cybercriminals to deploy attacks.
IABs: Critical to RaaS
To exfiltrate data as part of a double extortion ransomware attack, malicious actors need to gain unauthorized access to the target victim’s networks. Ransomware operators purchase the initial access from IABs for several reasons, like the ability to:
- Provide affiliates with a comprehensive product that includes the access and malware
- Focus on updating the malicious code to evade signature-based security tools
- Scaling their criminal business operations to generate more revenue
RaaS Operators: Critical to IABs
IABs also benefit from these symbiotic relationships. IABs often start by advertising and selling their credentials on the dark web. However, as they gain a reputation within the community, they often begin working with one RaaS operator, essentially receiving a retainer for working exclusively with one group. This relationship protects the IABs by limiting their communications across the broader cybercrime ecosystem, ultimately hiding them from law enforcement or security teams monitoring the dark web.
How can you defend against access brokers?
- Monitor IAB forums: IABs understandably don’t want their victims to learn that their data is for sale. For this reason, their posts in forums are anonymized. However, it’s still worth monitoring IAB forums; combination of geography, revenue, industry, and type of access may be enough information to provide some organizations advanced notice that they have potentially been compromised. Flare recommends monitoring Exploit, XSS, and other IAB forums to receive advanced notice that access to your environment may be for sale.
- Monitor stealer logs: Many threat actors distribute stealer logs across forums and Telegram channels. The stealer logs are likely a source of vectors for IABs, which may sift through enormous numbers of logs to find those with RDP, VPN, and other forms of corporate access which can be established, expanded, and resold.
- Implement endpoint detection and response (EDR): EDR would be the best method of possibly detecting the presence of an IAB.
Initial Access Brokers and Flare
Flare provides the leading Threat Exposure Management (TEM) solution for organizations. Our technology constantly scans the online world, including the clear & dark web, to discover unknown events, automatically prioritize risks, and deliver actionable intelligence you can use instantly to improve security. Protect your intellectual property from IABs by using Flare’s automated platform to scan for stolen data as well as mentions of your assets or organization.
Our solution integrates into your security program in 30 minutes to provide your team with actionable intelligence and automated remediation for high-risk exposure. See it yourself with our free trial.