Ransomware Gangs Turn to Outsourcers for Network AccessAccenture: Network Access Sellers Change Their Tactics
Those selling "network access" on underground forums are adjusting their business models to take advantage of the huge influx of ransomware gangs that are looking for easier and more efficient ways to gain access to their targets, Accenture reports.
For example, some hackers are using zero-day exploits to gain access to vulnerable networks and then selling this access to others, Accenture says. This is a shift from selling the exploits themselves.
In its report, Accenture notes that the threat group Nikolay, also called "Fxmsp," has shifted its strategy to selling network access rather than stolen data (see: Fxmsp Probe: Feds Say Group-IB Report Forced Its Hand).
"The new element is primarily the scale of sale and cooperation between the ransomware gangs and access sellers and the skill level of the access sellers," says Thomas Willkan, senior analyst on Accenture's cyberthreat intelligence reconnaissance team and one of the authors of the report. "Moreover, where the initial ransomware gangs often relied on in-house capabilities, the access sellers have enabled less capable gangs to participate rapidly and more persistently."
The number of darknet forum advertisements offering full access to corporate networks jumped almost 70% during the first quarter of 2020, compared to the previous quarter, Positive Technologies reported in May (see: Hot Offering on Darknet: Access to Corporate Networks).
Advantage for Ransomware Gangs
"Since the start of 2020 and the emergence of the now-popular 'ransomware with data theft and extortion' tactics, ransomware gangs have successfully utilized dark web platforms to outsource complicated aspects of a network compromise," the Accenture report notes (see: Ransomware: Cybercrime Public Enemy No. 1).
Accenture says it’s tracking 25 network access sellers that are active on the same dark web forums as several ransomware gangs, including Maze, LockBit, Avaddon, Exorcist, NetWalker and Sodinokibi (see: Eyeing Bigger Targets, Ransomware Gangs Recruit Specialists).
Network access sellers often offer compromised Remote Desktop Protocol connections, according to the report (see: RDP Brute-Force Attacks Rise During COVID-19 Crisis: Report).
But the network access sellers are also now offering access to networks by capitalizing on well-known vulnerabilities in Citrix’s Application Deliver Controller and Gateway products as well as Pulse Secure VPN servers, according to the report.
Once a vulnerability is used to gain network access, Accenture says, that network access is sold on dark web forums “usually for anywhere between $300 and $10,000, depending on the size and revenue of the victim.”
Meanwhile, threat actors are attempting to turn an Android banking Trojan called Cerberus into a malicious network access tool, Accenture notes.
In September, researchers at Kaspersky found a surge of activity in Russian underground forums after the Cerberus source code leaked (see: Attacks Using Cerberus Banking Trojan Surge).