A hacker claims to have breached a major auction house's internal network and offered access to anyone willing to pay $120,000, according to Bleeping Computer.
The ad was spotted on a hacking forum known for offering an Initial Access Broker (IAB) marketplace when security researchers analyzed a sample of 72 posts.
" Expensive " network access
Researchers at threat intelligence firm Flare analyzed offers from the IAB on the Russian-language hacking forum Exploit over a three-month period (May 1-July 27) to better understand the hacking group's goals, asking prices, and activity. , Initial Access Brokers IABs (Intermediaries for Hackers) "advertise" for more than 100 companies in 18 industries including defense, telecommunications, healthcare, and financial services.
In a report shared with BleepingComputer, Eric Clay, Flare's vice president of marketing, noted that attacks against companies in the U.S., Australia, and the U.K. were the most common, which is not surprising given the high gross domestic product (GDP) of these countries. The report identified the most cases against financial and retail entities, followed by construction and manufacturing.
Proxy access starts at $150 for initial access depending on country and company, most of which are initial access via VPN or RDP, about a third are under $1000, but are currently on sale on hacker forums for $12 million (BTC4 at the time) for access to the multibillion-dollar auction house's internal network, the salesperson didn't provide too many details, but said he had access to the backend of several high-end auctions (i.e. the admin panel) .
Flare points out that while most access is low-to-medium value, occasionally extremely unique or high-value access is auctioned off, which can result in pricing that differs significantly from our average pricing.
Access rights and geographic location
Most of the posts mentioned the geographic location of the victims, which led the researchers to create a map showing 35 entities outside the United States that were allegedly targeted by the hacking group.
Victim distribution map based on initial visit to “Ad” (Source: Flare.io Flare.io)
IAB deals on Exploit forums are still avoiding targeting Russia and the Commonwealth of Independent States (CIS) countries, but the number of IABs in China, the world's second largest by GDP, is also surprisingly low. To that end, Clay revealed that while the IAB generally avoids targeting China, it has a web access list for Chinese AI companies.
Notably, Clay pointed to a hacking agency that offered privileged access to a U.S. radio station, which he said could be used to "play ads."
The most common type of access in Exploit forum posts is through RDP or VPN, which combined accounted for 60% of the list in the dataset, and the remaining permissions associated with access accounts through cloud administrators, local administrators, domain users, etc. accounted for 40% %. Typically, access to corporate networks comes from information-stealing malware, but some attackers have made it clear that malware, phishing, or exploiting vulnerabilities can be used. Mathieu Lavoie.
Regardless of the method used by the initial access agent to gain network access, entities should at least implement monitoring mechanisms for information-stealing malware. In addition, entity organizations should also monitor the forums where the intermediary initially visits to advertise. Even if the victim’s name is anonymous, it can help the enterprise obtain possible intrusion clues. Combined with data such as geography, revenue, industry and access type, it is enough to investigate potential breaches, a process that may uncover areas that require stronger security or identify devices, services and accounts that may pose a risk.