Cybercrime as-a-service , Fraud Management & Cybercrime , Ransomware

Ransomware Gangs Turn to Outsourcers for Network Access

Accenture: Network Access Sellers Change Their Tactics
Ransomware Gangs Turn to Outsourcers for Network Access
Post on a dark web forum offering network access (Source: Accenture)

Those selling "network access" on underground forums are adjusting their business models to take advantage of the huge influx of ransomware gangs that are looking for easier and more efficient ways to gain access to their targets, Accenture reports.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

For example, some hackers are using zero-day exploits to gain access to vulnerable networks and then selling this access to others, Accenture says. This is a shift from selling the exploits themselves.

In its report, Accenture notes that the threat group Nikolay, also called "Fxmsp," has shifted its strategy to selling network access rather than stolen data (see: Fxmsp Probe: Feds Say Group-IB Report Forced Its Hand).

"The new element is primarily the scale of sale and cooperation between the ransomware gangs and access sellers and the skill level of the access sellers," says Thomas Willkan, senior analyst on Accenture's cyberthreat intelligence reconnaissance team and one of the authors of the report. "Moreover, where the initial ransomware gangs often relied on in-house capabilities, the access sellers have enabled less capable gangs to participate rapidly and more persistently."

The number of darknet forum advertisements offering full access to corporate networks jumped almost 70% during the first quarter of 2020, compared to the previous quarter, Positive Technologies reported in May (see: Hot Offering on Darknet: Access to Corporate Networks).

Advantage for Ransomware Gangs

"Since the start of 2020 and the emergence of the now-popular 'ransomware with data theft and extortion' tactics, ransomware gangs have successfully utilized dark web platforms to outsource complicated aspects of a network compromise," the Accenture report notes (see: Ransomware: Cybercrime Public Enemy No. 1).

Accenture says it’s tracking 25 network access sellers that are active on the same dark web forums as several ransomware gangs, including Maze, LockBit, Avaddon, Exorcist, NetWalker and Sodinokibi (see: Eyeing Bigger Targets, Ransomware Gangs Recruit Specialists).

Network access sellers often offer compromised Remote Desktop Protocol connections, according to the report (see: RDP Brute-Force Attacks Rise During COVID-19 Crisis: Report).

But the network access sellers are also now offering access to networks by capitalizing on well-known vulnerabilities in Citrix’s Application Deliver Controller and Gateway products as well as Pulse Secure VPN servers, according to the report.

Once a vulnerability is used to gain network access, Accenture says, that network access is sold on dark web forums “usually for anywhere between $300 and $10,000, depending on the size and revenue of the victim.”

Leveraging Cerberus

Meanwhile, threat actors are attempting to turn an Android banking Trojan called Cerberus into a malicious network access tool, Accenture notes.

In September, researchers at Kaspersky found a surge of activity in Russian underground forums after the Cerberus source code leaked (see: Attacks Using Cerberus Banking Trojan Surge).


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.