Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

How Access to Your Network is Sold on the Dark Web – and the Price Tag!

August 11, 2021

ZDNet reported on August 10th that a new report from cybersecurity company IntSights has published a study on the market for network access on the dark web.

Paul Prudhomme, cyber threat intelligence advisor at IntSights, examined network access sales on underground Russian and English-language forums and then compiled a study on why criminals sell their network access and how criminals transfer their network access to buyers.

More than 37% of all victims in a sample of the data were based in North America where there was an average price of $9,640 and a median price of $3,000.

Network access is often sold to be used in ransomware attacks. Dark web forums form a decentralized system where less-skilled cybercriminals can rely on each other for different tasks, allowing most ransomware operators to simply buy access from others, according to Prudhomme.

The network access offered ranges from the credentials of system administrators to remote access into a network. With millions of people working from home (still), the sale of network access has increased significantly over the last 18 months. Remote access is generally through RDP and VPNs.

Cybercriminals share access to a wide range of malware, malicious tools, illicit infrastructure, and compromised data, accounts, and payment card details.

Cybercriminals rarely have a full team of attackers knowledgeable in every aspect of an attack, making dark web forums perfect as they either sell what they’ve already stolen or search for malware payloads, hosting infrastructure and access to compromised networks.

“This factor is particularly applicable to compromises of specialized environments, such as those with operational technology (OT), industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, or other less common or less conventional technology that may be unfamiliar to many attackers,” Prudhomme explained.

The posts offering compromised network access include the victim, the form and level of access for sale, as well as the pricing and other transaction details. Sometimes the victims are identified by location, industry or sector and revenue information is often included.

Some access is sold at auction. Others are negotiated over time.

The most common features of these sales are RDP credentials and VPN credentials, both of which are being used considerably more as people work from home. Web shells are also used as persistence mechanisms that can be transferred.

“Elevated privileges are a common feature of these sales, but not a universal one. Many types of malware, including ransomware, need elevated privileges in order to run,” Prudhomme said.

Included in the study is a quantitative and qualitative analysis of a sample of 46 sales of network access on underground forums covered in alerts provided to IntSights customers from September 2019 to May 2021. It is interesting that seven individuals accounted for more than half of the access points for sale.

While $9,640 was the average price, IntSights researchers said most prices were around $3,000. Just ten of the prices surpassed $10,000 and most were for access to telecommunications or technology companies.

The highest price in the study was $95,000 for access to a large telecommunications service provider in Asia with over $1 billion in revenue.

The researchers urge organizations to patch systems, enable MFA and take other measures to close off potential access points.

As we lecture, we find that very few people understand that remote access to their networks is a commodity sold on the dark web, and for (comparatively) bargain basement prices.

Notice: We will be transferring our blogs to a new platform shortly which will be hosted on our website. The new URL for accessing the blog will be https://senseient.com/ride-the-lightning/ Users currently subscribed via email delivery should not be impacted. Those users subscribed via RSS feed will need to resubscribe from the blog once it is relocated to the website.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology