Access-as-a-Service: How to Keep Access Brokers Away from Your Organization
Last updated on October 6, 2023
An attacker’s access to the network is often traced back to a succession of events, which network defenders must unravel. This is done by asking specific questions such as: How did the attackers enter the network? How did they gain access to the network? What actions did they take once inside that allowed them to gain more access?
Access-as-a-Service (AaaS) is becoming more common as a means to gain access to networks. Read on to find out what is AaaS and who is behind it.
However, despite the “as-a-service” title, this is not an actual service wherein the criminals continue to provide the service after selling it, but rather a one-time deal. The seller, referred to as an access broker or initial access broker (IAB), sells breached credentials or direct access to organizations to other cybercriminals.
Access brokerage is a type of cybercrime in which an attacker gains unauthorized access to a victim’s computer or network and then sells that access to another party.
Access brokerage is a growing problem as attackers are able to exploit vulnerabilities in systems and applications in order to gain access, which can then be sold on the black market for a profit. As access brokers become more sophisticated, they are able to target larger organizations and even government agencies, making this type of cybercrime a serious threat.
Compromised systems can be very valuable to cybercriminals, as they provide a way to gain unauthorized access to sensitive data or carry out malicious activities without being detected. For this reason, access brokers can charge high prices for their services. The role of an access broker is often difficult to track, as they typically use anonymous payment methods and conduct their business through private messages or encrypted channels.
Access brokers often use stolen credentials to gain access to systems, which they then sell to buyers. However, some brokers may also have direct contact with system administrators who are willing to sell access to their systems.
Types of Access Brokers
There are three main types of IABs:
Opportunistic sellers offer one-off access, advertising their offerings in criminal web-based forums.
Dedicated brokers have access to an array of different companies that they advertise in wider underground networks. Often, this type of IABs They also reach out directly to affiliates.
Online shops usually consist of a group of sellers who offer a variety of data. However, these shops only guarantee access to a single machine, not an entire network.
How Is Data Obtained?
There are multiple ways in which IABs can obtain access to sensitive data:
Data breaches and password hash breaking: When companies or websites lose user lists along with password hashes in a data breach, hackers can crack them to obtain credentials.
Malware logs: Cloud platforms allow attackers to use botnets to spy on infected users’ internet connections and collect credentials. These are often collected into malware logs, which are then sold to access brokers to expand their credential stocks.
Vulnerability exploitation: It is possible for some AaaS brokers to use exploits to attack servers and gain access to user credentials. Common targets include VPN gateways or external web servers.
Opportunistic hacking: Typically, small-time hackers will sell one-off access to their target’s system. Phishing operators will also sell the credentials they exfiltrate in bulk.
IAB Operation Step-by-Step
To better understand how access brokers operate, let`s imagine the following scenario:
When a bug or vulnerability is made public, IABs become active. They investigate to try and deploy infostealers, a type of RAT that can acquire keystrokes, session cookies, credentials, screenshots and video recordings, local information, browser history, bookmarks, clipboard material and so on from a contaminated device. Primarily they propagate to target systems by way of spam as well as phishing campaigns.
Once an infostealer is deployed, the trojan begins to log activities and collect data. These logs are then manually examined for credentials that might be monetized on the dark web. The credentials sought by IABs include access to virtual private networks (VPNs), remote desktop protocols (RDP), web applications, and corporate webmail servers that are instrumental in committing CEO fraud.
The IABs openly list and advertise their prized, high-value corporate targets on underground marketplaces where they broker for these stolen credentials. Pricing varies based on company size and level of privilege within the compromised network.
AaaS Defense Strategies for Organizations
A cybersecurity defense strategy that focuses on detecting and preventing the initial breach of access is crucial for CISOs and security teams. When you detect the initial access of an attack, you are more likely to prevent the subsequent components of the attack lifecycle, such as ransomware. Here are other components to consider when creating an effective security strategy:
Leverage trusted frameworks such as the National Institute of Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA).
How Can Heimdal® Help?
As we pointed out previously, XDR is a crucial asset when it comes to building a security strategy. It keeps the position of overseer, gathering data from throughout your environment to predict cyberattacks and plotting courses of action based on genuine, real-time data.
Heimdal’s Extended Detection and Response team monitors your devices, alerts you on infection or attack, validates policy checking for maximum compliance, and employs rapid and decisive responses to attacks.
The availability of Access-as-a-service has simplified attackers’ endeavors by providing direct access to target networks. Threat actors can now spend more time finding servers with the most sensitive, thus valuable, data inside the network. IABs are a stark indication that cybercrime is already an organized industry.
The ever-evolving threat landscape places enormous pressure on CISOs and security teams. Preparedness increases your chances of defense, response, and recovery. Protect your organization against organized cybercrime by investing in cybersecurity tools, training, and awareness.
Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.