Names like Novelli, Orangecake, Pirat-Networks, SubComandanteVPN, and Zirochka will likely mean nothing to the vast majority of enterprise security teams. But for ransomware operators and other cybercriminals looking for fast access to corporate networks, these were the brokers for much of last year.

Together, the five entities accounted for about 25% of all corporate network access offers for sale on underground forums between the second half of 2021 and the first half of 2022. For an average price of about $2,800, these so-called initial access brokers (IABs) sold stolen VPN and Remote Desktop Protocol (RDP) account credentials and other credentials that criminals could use to break into the networks of more than 2,300 organizations around the world, without breaking a sweat.

A huge and growing marketplace

The five operators were the leaders in a much larger and fast-growing market of hundreds of other similar IABs that security firm Group-IB discovered while researching for its 11th annual high-tech crime report, released this week.

The company’s research showed strong year-over-year growth in the number of IABs active in underground forums and markets – from 262 in the immediately preceding 12-month period to 380 in the period between the second half of 2021 and the first half of 2022. Approximately 327 of the IABs Group-IB saw in operation during that period were new entrants to the space.

Group-IB researchers also found a 41% increase in the number of countries where compromised entities belonged – from 68 a year earlier to 96 over the period of their study. Nearly a quarter – 24% – of all initial access offers were on the networks of US-based organizations. Other countries with relatively high casualties were Brazil, Canada, France and the UK.

“As access product sales continue to grow and diversify, IABs represent one of the biggest threats to watch in 2023,” warned Dmitry Volkov, CEO of Group-IB, in a statement accompanying the new report.

“Initial entry brokers play the role of oil producers for the entire underground economy,” he noted. “They fuel and facilitate the operations of other criminals, such as ransomware and nation-state adversaries.”

“Opportunistic Locksmiths of the Security World”

The value proposition of IABs in the cybercrime economy is that they provide a way for other cybercriminals to easily gain a foothold on a target network without having to do any upfront work. IABs do the technical work of breaking into a network and stealing credentials – such as those from VPNs, RDP services, Active Directory and remote management panels – which then grant access to the network. Often they can place web shells on a compromised network to ensure continued future access to the network and then sell the web shells. In a report last year, researchers from Google’s Threat Analysis Group described IABs as the “opportunistic locksmiths of the security world” who specialize in breaking through a target and providing access to it for the highest bidder.

Driving the ransomware economy

IABs offer their wares to anyone willing to buy them, and the market for their services has grown rapidly over the past two years. But their biggest clients of late are ransomware operators.

A new study from threat intelligence agency KELA found that several major ransomware attacks involving groups like Hive, Sodinokibi, BlackByte, and Quantum started with network access from an IAB. In one case, members of the Conti ransomware group joined an IAB to attack organizations in Ukraine.

“The most notable incident was related to the attack on Medibank, an Australian insurance company, which was attacked after network access to the company was sold on a private Telegram channel,” said KELA.

The Group-IB researchers found that 70% of the access types IABs offered were RDP and VPN account credentials. Many of the offers – 47% – involved administrative access to the compromised network. Twenty-eight percent of ads specifying permissions related to domain management permissions, 23% had standard usage permissions, and a small fraction offered root account access.

Group-IB researchers also found IAB ads for access to Citrix environments, multiple web panels for CMS and cloud servers, and web shells on compromised systems. In some cases, IABs even offered to launch lateral movement payloads on behalf of the buyer, such as Cobalt Strike Beacon or Metasploit sessions. But offers for these credentials and services were less common than those with RDP and VPN credentials.

Organizations for which access offers were most available in underground forums and marketplaces included manufacturing companies, financial services companies, real estate organizations, education and information technology companies.

Group-IB found that the surge in the number of entities operating in the IAB space during the period of its study had pushed prices down for most categories of initial entry.

In fact, the $2,800 average price the company observed was less than half of the $6,500 IABs charged on average for the same access a year earlier.