Venture into the dark web, and you can find all kinds of illicit and illegal items up for sale. Drugs, hacked Paypal accounts, and fake passports are promoted like any other online shopping site. But tech experts are noticing that one service-for-sale is flooding the underground marketplace: access to breached corporate networks.
The dark web is littered with ads pushing access-for-sale. This could be login credentials, software, or exploits that allow a user to gain control of one or more computers in a network. Once a cybercriminal has hacked a website, server, or database, the access can be sold to third parties and handed over like a set of keys.
Since 2019, access-for-sale ads on the dark web have increased sevenfold, according to a report released Wednesday by cybersecurity agency Positive Technologies. Gaining access to a company’s network can set the stage for a variety of future attacks, including data theft, extortion, and corporate espionage. But the obvious favorite among cybercriminals in 2021 has been ransomware installation.
This past year, ransomware attacks have shut down a major US fuel pipeline, paralyzed a major food supplier, and crippled countless businesses in a devastating supply chain attack. Researchers also noted an influx in ads looking for partnerships and hackers-for-hire. This surge could largely be attributed to the emergence of ransomware affiliate and partnership programs, Positive Technologies said.
A Changing Criminal Model
Analysts have noted that the criminal model is changing. The hacker who breaches the network and the cybercriminal who follows through on the attack may require a different skill set. While the perimeter can be hacked by a novice, the attack must be carried out by professionals, according to the report.
Researchers said they found more than 700 new ads for buying and selling access and seeking hacking partners in 2020, and 590 in the first quarter of 2021 alone. The sharp rise in these ads indicates a deep pool of lower-level hackers unwilling to follow through with a full-fledged cyberattack, and would rather pass the buck to professional cybercriminals instead.
Analysts pointed out that the market seems to be getting oversaturated as well. The number of hacker-placed ads tripled in the first quarter of 2021 compared to the same quarter a year prior.
While an average of $600,000 worth of access is sold on the dark web each quarter, researchers noticed an interesting trend. From 2017 until the first quarter of 2020, the amount of expensive network access lots (above $5,000) halved. Ads priced below $1,000 rose to 45% of all ads, possibly indicating the entry point of novice criminals undercutting professionals.
“With these realities in mind, a system for protection against cyberattacks may require a different approach,” Yana Yurakova, an analyst at Positive Technologies said. “The threat actor model needs to be revised to guard against both access from low-skilled attackers and sophisticated methods of attack.”
Companies Targeted by “Access Miners”
Positive Technologies has dubbed these entry-level hackers “access miners,” and expects to see more activity from this new role in the near future. There are a variety of factors that determine what companies could be targeted by access miners. Researchers said these include:
- Company size
- Corporate revenue and other financial points
- Number of computers
- Account access level
As far as industries whose network access had been put up for sale, cybercriminals honed in a select few: namely the services, manufacturing, and research and education sectors. Analysts noted that in previous years, other industries were frequently targeted, but those have since been abandoned due to their difficult nature.
“Note that the share of industrial companies and financial institutions, whose networks are typically more expensive to hack, decreased somewhat,” Yurakova said. “This may be attributed to the fact that the initial access market is served by lower-skilled actors who prefer easier victims.”