Initial Access Brokers – Key To Rise In Ransomware Attacks

By   ISBuzz Team
Writer , Information Security Buzz | Aug 04, 2022 02:04 am PST

An analysis from Recorded Future’s research group, Insikt Group, details the tactics, techniques, and procedures (TTPs) used by cybercriminals on dark web and special-access sources to compromise networks, deploy infostealer malware, and obtain valid credentials.


Threat actors require remote access to compromised networks to conduct successful attacks, such as malware loader deployment, data exfiltration, or espionage campaigns. These compromised access methods, … are the work of specialized threat actors colloquially referred to as “initial access brokers” (IAB). IABs use several tools and TTPs to obtain such access, including obtaining valid credential pairs and session cookies from the successful deployment of infostealer malware, the purchase of infostealer “logs” or “bots” on dark web shops, credential stuffing, adversary-in-the-middle attacks, phishing, remote desktop protocol (RDP) “brute force guessing”, and more.

The most common credential pairs that appear for sale or auction on top-tier dark web and special-access sources, such as Exploit and XSS, are for corporate virtual private networks (VPNs), RDP services, Citrix gateways, web applications and content management systems (CMS), and corporate webmail servers (business email compromise, or BEC)

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Baber Amin
Baber Amin , COO
August 4, 2022 10:06 am

This underscores why passwords as a credential are bad. The best way to combat this threat is to eliminate the use of passwords from as many systems as possible. If that is not possible, multi factor authentication should be implemented for all access. MFA has become easy to implement over the last few years, should be the default. 

  “Lastly, to prevent lateral movement, principals of least privilege must be observed. This means, that each person has the minimal level of trust granted for the task at hand. For any escalation of privilege, one should:

  • Look at user behavior in the context of the application, the task, and the user agent/device being used for deviation from normal
  • Depending on the threshold defined, setup authentication or re-authentication using different mechanisms than initially deployed should be invoked”
Last edited 1 year ago by Baber Amin

Recent Posts

Would love your thoughts, please comment.x