Selling access wholesale in the C2C market.

Cybersixgill has published a report looking at network access for sale on underground markets:

“There are two broad categories of access-as-a-service for sale on the underground: initial access brokers (IABs), which auction access to companies for hundreds to thousands of dollars, and wholesale access markets (WAMs), which sell access to compromised endpoints for around $10. WAMs are flea markets. The prices are low, the inventory is enormous (they listed access to ~4.3 million endpoints in 2021), and the quality is not guaranteed, as listings could belong to a random individual user or an enterprise endpoint.”

The researchers found that wholesale access markets have played a large role in providing initial access for ransomware attackers:

About a fifth of ransomware attacks are facilitated by initial access markets.

“[W]e sought to understand if any major ransomware attacks may have begun with purchase of access from these markets. To do so, Cybersixgill investigated over 3,600 attacks from ransomware leak sites in 2021 and correlated the victimized companies with resources mentioned in WAM listings prior to the attack. We found that in 19% of the ransomware incidents, access to a system logged in to the organization’s domain had been offered for sale on a WAM within 180 days before the attack. (Note that this figure includes external-facing accounts, such as partners and customers.)

“Taking this a step further, we looked for logins that included enterprise resources, which signify internal systems. Out of the entire data set, in 85 incidents access to an internal machine belonging to the victimized enterprise was sold within 30 days of the attack. While only the forensics teams with access to internal network logs can determine exactly how the adversary entered the system, any of these 85 attacks might have been the point-of-entry for attacks that each netted the hackers millions of dollars.”