Hackers have managed to compromise corporate networks three times faster in 2021, with 75% of attacks being financially motivated, a recent report shows. Both government and industry experts say greater complexity and interdependence among systems gives attackers more opportunities for widespread, global damage. On top of that, the rise of Initial Access Brokers is proving to be a real challenge for cybersecurity experts.
Hackers Are Getting Smarter and More Efficient
Hackers are compromising company networks three times faster in 2021, compared to 2020, managing to identify other systems of interest in the victim’s infrastructure just 1 hour and 32 minutes after the initial time of network compromise, according to cybersecurity company CrowdStrike’s annual report.
By comparison, it took hackers 4 hours and 37 minutes to compromise company systems in 2020.
“One of the reasons that the time to compromise a company’s network has reduced is the emergence of access brokers that aim to initially compromise networks and then facilitate access to ransomware operators. This diversification and specialization of cybercrime operations have also led to increased collaboration between financially motivated groups of attackers. Basically, access brokers compromise networks, then sell access to ransomware operators, and if the victim pays, the amount is split between the two cybercrime groups,” said Liviu Arsene, CrowdStrike’s Director of Threat Research.
CrowdStrike’s security analysts have determined that 75% of interactive intrusion attempts—where attackers manually compromise computer systems—are financially motivated, driven largely by ransomware threats directly targeting businesses.
The cyberattack boom, both in terms of volume and effectiveness, demonstrates that attackers have constantly adapted their tactics, techniques, and procedures in order to secure their goals faster. Over 65,000 potential cybernetic intrusions have been identified and successfully blocked by CrowdStrike’s security analysts in the past year, averaging nearly one potential security incident every 8 minutes.
The number of cyberattacks has increased by about 60% compared to 2020. The number of cyberattacks directly targeting industries such as telecommunications and retail has also doubled in the past year, according to the same report. More than 40% of observed incidents attributed to potential state-run cybergangs targeted the telecommunications and retail industries. Such cyberattacks have been orchestrated mainly by state-owned groups associated with China and Iran, with potential purposes such as surveillance data collection, intelligence, and counter-espionage.
The CrowdStrike report analyzed data from July 1, 2020 to July 30, 2021, using a sample of 248,000 unique systems that CrowdStrike solutions protect.
The Rise of Initial Access Brokers
In recent years, the cybercrime business model has evolved, creating a market of vendors on the dark web. An emerging trend in the underground economy is initial access brokerage, a flourishing market where threat actors gain initial access to organizations and either sell it or offer it as a service to other cyber-criminals.
Typically, advertised accesses encompass remote access through Remote Desktop Protocol (RDP) or a compromised Citrix gateway. RDP has proven to be a common attack vector within the ransomware landscape.
In August, cybersecurity firm KELA published a report exploring the Initial Access Broker market and found that the average cost of network access was $5,400, while the median price was $1,000. The top affected countries included the US, France, UK, Australia, Canada, Italy, Brazil, Spain, Germany, and UAE.
The team examined over a thousand listings in dark web underground forums from July 1, 2020, to June 30, 2021, and found that initial access ads included a range of networks and compromised account-based offerings, such as remote access to a computer in an organization, as well as domain-level privilege account access and both RDP and VPN-based remote access.
The most expensive initial access services involved an Australian company generating an annual revenue of $500 million, which were sold for 12 Bitcoin (BTC), or roughly $478,000, followed by ConnectWise-based access to an IT company in the United States, for 5 BTC ($200,000).
“While some actors are ready to work for a percentage (a share from the amount gained in a successful ransomware attack), the majority of IAB prefer to stick to fixed prices,” says KELA. KELA also observed some successful IABs changing their sales methods, moving away from public forums to private channels with trusted buyers.
Organizations around the world are increasingly finding themselves targeted, as data breaches become more common. Having the proper tools and systems in place can prevent data breaches and cybercrimes, while saving your company a lot of money.
