Positive Technologies experts have analysed illegal marketplaces on the dark web and found a flood of interest in accessing corporate networks. In Q1 2020, the number of postings advertising access to these networks increased by 69 percent compared to the previous quarter. This may pose a significant risk to corporate infrastructure, especially now that many employees are working remotely. “Access for sale” on the darkweb is a generic term, referring to software, exploits, credentials, or anything else that allows illicitly controlling one or more remote computers.
In Q4 2019, over 50 access points to the networks of major companies from all over the world (the same number as during all of 2018) were publicly available for sale. In Q1 2020, this number rose to 80. Criminals mostly sell access to industrial companies, professional services companies, finance, science and education, and IT (together accounting for 58 percent of these offers).
Only a year ago, criminals seemed to be more interested in trading in individual servers. Access to them was sold on the darkweb for as little as to $20. However, in the second half of 2019, we have seen an increasing interest in the purchase of access to local corporate networks. Prices have also skyrocketed: we have seen hackers offer a commission of up to 30 percent of the potential profit from a hack of a company’s infrastructure – with annual income exceeding $500 million. The average cost of privileged access to a single local network is in the range of $5,000.
There are some major companies who are the victims of these crimes, with annual incomes running into the hundreds of millions or even billions of dollars. In terms of location, the hackers primary target is U.S. companies (more than a third of the total), followed by Italy and the United Kingdom (5.2 percent each), Brazil (4.4 percent), and Germany (3.1 percent). In the U.S., criminals predominately sell access to professional services companies (20 percent), industrial companies (18 percent), and government institutions (14 percent). In Italy, industrial companies lead (25 percent), followed by professional services (17 percent). In the United Kingdom, science and educational organisations account for 25 percent, and finance for 17 percent. In Germany, IT and professional services each account for 29 percent of access points for sale.
In most cases, access to these networks is sold to other dark web criminals. They either develop an attack on business systems themselves or hire a team of more skilled hackers to escalate network privileges and infect critical hosts in the victim’s infrastructure with malware. Ransomware operators were among the first to use this scheme.
Positive Technologies senior analyst Vadim Solovyov said: “Large companies stand to become a source of easy money for low-skilled hackers. Now that so many employees are working from home, hackers will look for any and all security lapses on the network perimeter. The larger the hacked company is, and the higher the obtained privileges, the more profitable the attack becomes.
“To stay safe, companies should ensure comprehensive infrastructure protection, both on the network perimeter and within the local network. By making sure that all services on the perimeter are protected and security events on the local network are properly monitored to detect intruders in time. Regular retrospective analysis of security events allows teams to discover previously undetected attacks and address threats before criminals can steal data or disrupt business processes.”