Any newbie hacker can now gain entry into tech and telecom firms to gain control of 2FA access codes.
With the commercialization of ransomware technology nowadays, hackers do not even need to compromise victims themselves but can just buy already-compromised network access from other attackers.
This specialization of malicious services can result in a sharp increase in ransomware attacks as these sales reduce the barriers to entry for bad actors. Such services often include a combination of remote access into a network and administrator credentials or other highly privileged accounts.
Technology and telecommunications companies are among the most common victims and often command higher prices. While this phenomenon predates the pandemic, it peaked in 2020 with the sudden mass shift to a remote workforce.
Increased attack surfaces due to WFH
The increased use of RDP, VPN, and other remote access services during work-from-home (WFH) arrangements has expanded the available attack surface and given attackers more instances of a key access vector to use.
Many organizations and less technically literate employees are more vulnerable to attack due to misconfigurations, unpatched versions of VPN software, a lack of two-factor authentication (2FA) for VPN and RDP credentials, and VPN-themed social engineering attacks.
RDP is a common initial access vector, particularly for brute force attacks on networks and often in conjunction with ransomware. Many organizations fail to disable RDP services that they do not use.
Even when there is a business reason to enable RDP access, many organizations fail to protect RDP credentials with 2FA or strong passwords, which leaves them vulnerable to brute force attacks.
Democratization of hacking services
Users of underground criminal forums and dark markets often specialize in certain sectors of the underground criminal economy.
This specialization and division of labor increases the severity, impact, and cost-effectiveness of attacks and fraud by delegating or outsourcing various stages of an attack and the resulting exploitation of data or access to those that can perform it most optimally.
Sales of compromised network access are thus significant enablers for ransomware attacks.
Such sales to ransomware operators also enable the initial intruders to reap profits from breaches that may have otherwise gone to waste and yielded revenue.
The price of a compromise
Cybercriminals typically prefer victims in wealthier countries with advanced economies, as they are generally more lucrative. English-speaking victims are often easier to compromise because they speak the world’s leading lingua franca.
Technology and telecommunications were the most frequently affected industry, representing about 22% of victims, according to a white paper by IntSights. Three other industries tied for a close second place, with nine victims each: financial services, healthcare and pharmaceuticals, and energy and industrials (19.5% each).
The average price for sales was close to US$10,000, and the median price was US$3,000. A majority of these offerings were in the four-figure range in US dollars.
Gateway to more cybercrime
Due to the specialization and division of labor in the cybercriminal world, the streamlined hacking processes have lowered the barrier-to-entry for malicious agents that lack the necessary skills or resources but have the money to make buy hacked access to targeted victims.
Targeting technology and telecommunications companies stems from their usefulness for enabling further attacks on other targets, such as conducting SIM swapping attacks on online banking customers that use 2FA via SMS.
The criminals’ goal is to reassign those customer phone numbers to SIM cards that they control to receive 2FA codes for their online banking credentials, enabling them to compromise those accounts.
Preventive best practices
The types of credentials and persistence mechanisms that are most commonly sold by hackers should be higher-priority targets for security teams.
Audits or other scrutiny of these types of credentials and persistence mechanisms can be useful for threat hunters, who can begin their incident response by reviewing logs for the types of credentials and persistence mechanisms identified in the advertisement for that sale.
Common best-practice security recommendations include frequently changing passwords, requiring 2FA, looking out for credential dumps, keeping tabs on remote access services, and regularly updating security software.
Upon being victimized by a ransomware attack, organizations should refrain from paying the ransom.