In the world of cybercrime, Initial Access Brokers (IABs) play a crucial role. They act as intermediaries who gain unauthorized access to corporate networks and sell it to other criminals. This article explores how IABs operate, current market trends, and the measures companies can take to protect themselves.
The Role of Initial Access Brokers in the Cybercrime Ecosystem
Initial Access Brokers (IABs) are specialized cybercriminals who focus on identifying and exploiting vulnerabilities in corporate networks. They use various techniques such as phishing, exploiting software vulnerabilities, or deploying malware to obtain access credentials. Once in possession of these credentials, they sell access to other cybercriminals, who then conduct ransomware attacks or other malicious activities.
This division of labor allows specialized actors to collaborate efficiently and maximize their criminal operations. They function like highly sophisticated locksmiths for cyberattacks: instead of deploying ransomware themselves or stealing data, they offer the stolen access credentials on underground marketplaces. This makes cybercrime more efficient and scalable, as attackers no longer need to infiltrate networks themselves but can immediately begin monetizing the access.
How Do Initial Access Brokers Operate?
IABs use different methods to gain access to networks:
Phishing campaigns: Attacks on employees via email to steal login credentials.
Exploits of vulnerabilities: Exploiting unpatched security flaws in software and operating systems.
Malware & keyloggers: Installing malicious software that captures login credentials.
Credential stuffing & brute-force attacks: Testing stolen or weak passwords on various platforms.
A prominent example is an attack on Amazon Web Services (AWS), where attackers systematically searched for security vulnerabilities, stole two terabytes of sensitive data, and sold them via private Telegram channels.
Market Analysis: Prices and Target Groups
The price for access to corporate networks varies depending on the size and revenue of the company. According to an analysis by Kaspersky, access to large enterprises typically costs between $2,000 and $4,000. Almost half of all offers, however, are priced below $1,000, while prices above $5,000 are rare. If the access involves administrator privileges on critical systems, the price can exceed $100,000. Specifically:
Basic VPN access or Remote Desktop Protocol (RDP): $200 - $1,500
IT admin accounts with extended privileges: $5,000 - $100,000
Email administration accounts or cloud service tokens: Up to $140,000
A 2024 Cyberint report shows that almost half of all traded access credentials belong to companies with annual revenues under $100 million. Particularly affected industries include financial services, technology, manufacturing, and retail.
The Cyberint study from 2024 also found that 27% of offered access credentials pertain to companies with revenues exceeding $1 billion. However, smaller businesses are also at risk: 18.5% of the offers targeted organizations with revenues under $10 million, and 29.5% were aimed at those with revenues between $10 million and $100 million. Overall, 48% of the offers involve companies with revenues below $100 million.
Geographically, U.S. companies are the most affected, accounting for 48% of analyzed offers. Other affected countries include France, Brazil, India, and Italy. Industries such as business services, finance, retail, technology, and manufacturing are particularly vulnerable. The manufacturing sector saw an increase in offers from 14% in 2023 to 23% in 2024.
Stolen credentials are the most valuable asset in an IAB’s portfolio. According to the IBM Cost of a Data Breach Report 2024, compromised credentials were responsible for 19% of all data breaches, with an average detection time of 292 days. The Verizon Data Breach Investigations Report 2024 found that stolen credentials were the initial attack method in 24% of all security incidents.
Some high-profile attacks in 2024 illustrate the threat:
Geico: Attackers used credential stuffing to access customer data, resulting in a $9.75 million fine.
ADT: Two separate credential-based attacks within two months compromised 30,000 customer records.
Even companies with large cybersecurity budgets are not immune to attacks that start with compromised credentials.
Protective Measures Against Initial Access Brokers
To protect against IAB activities, companies should implement the following measures:
Multi-Factor Authentication (MFA): Enhances account security and makes unauthorized access more difficult.
Least privilege access control: Employees only receive access rights necessary for their tasks, minimizing risk.
Regular software updates and patch management: Closing security gaps through timely updates.
Security awareness training: Educating employees on phishing and social engineering threats.
Restricted use of Remote Desktop Protocol (RDP): Reducing attack vectors by limiting remote access.
Implementation of Intrusion Detection Systems (IDS): Early detection of suspicious network activities.
Network segmentation: Making lateral movement of attackers within the network more difficult.
Zero Trust strategy: No user or device is automatically considered trustworthy.
Dark web monitoring: Early detection of compromised credentials for sale (CyberNinja Intelligence).
Implementation of a managed Security Operations Center service (CyberNinja MasterMind).
Conducting continuous penetration testing (NinjaRED).
Implementing standards like ISO 27001 can help systematically apply these measures and strengthen information security.
Conclusion
Initial Access Brokers pose a serious threat to businesses of all sizes. By selling access to corporate networks, they facilitate subsequent attacks such as ransomware infections. A proactive approach that combines technical security measures with regular training is essential to minimize risk and increase resilience against such threats.
We are happy to advise you—contact us!