Image: sebastiaan stam (unsplash)
Unidentified hackers reportedly breached the digital infrastructure of a prominent auction house and set the price tag for this access at $120,000.
Upon discovering an advertisement on a well-known online forum frequented by initial access brokers (IABs), cybersecurity experts began a deep dive into 72 posts to unravel the specifics of the offer.
Valuable Digital Entry Points
A dedicated investigation by threat intelligence specialists from Flare revealed extensive IAB offerings spanning a period of three months. The findings showcased that over this time frame, brokers had made available unauthorized access to more than 100 corporations across a broad spectrum of 18 sectors, encompassing fields such as telecommunications, defense, healthcare, and banking.
Eric Clay, the senior marketing executive at Flare, shared insights through a report with BleepingComputer, highlighting that businesses situated in the U.S., Australia, and the U.K. were frequently targeted— a pattern consistent with their substantial economic standings.
The finance and retail segments emerged as prime targets, closely followed by the construction and manufacturing sectors, as Clay indicated.
The price of access varied based on the company’s stature and its geographical location. The entry point prices began at a modest $150, primarily for access via VPN or RDP, with around a third of the offerings priced below $1,000.
However, the most premium access was pegged at a staggering $120,000, equivalent to 4 BTC at the time. This prized access was to a globally recognized auction house’s system. While the hackers were discreet about the specifics, they hinted at having unparalleled access to premium auction events, including ones featuring Stradivarius violins and rare automobiles.
Flare commented, “Occasionally, extremely valuable or unique access points surface on the market, leading to significant price variations compared to the average.”
Several high-end access offers were related to major companies primarily located in the U.S. and the U.K., with a significant portion related to critical infrastructure sectors such as healthcare, finance, and manufacturing.
Digital Entry and Geographical Insights
Many posts included information about the potential target’s location, enabling researchers to draft a map showcasing 35 purportedly compromised entities outside the U.S.
Interestingly, the online forum displayed a conspicuous absence of targets from certain countries, with a notably limited number concerning China, despite its global economic significance. Clay revealed to BleepingComputer about a singular listing related to a Chinese artificial intelligence firm.
A majority of unauthorized access was observed via RDP (highlighted in 32 instances) and VPN (present in 11 instances), collectively forming 60% of the offers.
The extent of access privileges spanned from cloud administrator to local admin and domain user roles. An interesting revelation included a broker offering significant access to a U.S. radio network, potentially enabling unauthorized advertisements.
Some brokers boasted access to backup and recovery systems and entire corporate IT infrastructures, presenting opportunities for ransomware attacks.
While many intrusions into corporate systems are achieved via information-stealing malware, a few actors indicated alternative approaches, possibly other malware types, phishing, or exploiting digital vulnerabilities.
Mathieu Lavoie, the Chief Technical head at Flare, opined, “The logs from stealing operations are a primary entry point that’s often overlooked. This simplistic infection method is likely a primary gateway for IABs and ransomware entities into corporate IT structures.”
Companies are advised to institute monitoring for information-stealing malware, which is frequently the source of stolen corporate credentials. Monitoring platforms where IABs publicize their services can also provide companies with hints about potential breaches, even if specific details remain obscured.
Synthesizing data parameters like geographical location, industrial domain, revenue bracket, and access type can propel the initiation of probes into probable unauthorized access. This proactive approach can also unveil critical vulnerabilities, spotlighting areas needing robust security measures.