For cybercriminals, there are so many ways to infiltrate a corporate network. Unfortunately, one of the easiest ways is also one that’s on the rise: using purchased compromised credentials. Initial access markets are often the source for these credentials.
In this blog series, we will be exploring initial access markets and brokers, how they work, their history, the techniques involved, and ultimately, how to defend against them. For part one, we will begin with what initial access markets are and their history.
Initial access markets are illicit online marketplaces where initial access brokers and cybercriminals buy and sell access to compromised computer systems. These markets are often hidden within the dark web or accessed through specialized forums and communities.
In practice, initial access markets serve as a crucial component of the cybercrime ecosystem, enabling obtained attackers to quickly gain entry into systems without needing to perform the initial compromise themselves. This facilitates faster, more impactful cybercrime, and signifies the increasing commoditization of cybercrime techniques.
In these markets, cybercriminals can purchase various credentials and other means of access, including:
The credentials found on initial access markets are generally obtained during a prior breach or phishing attack. When an adversary can gain full access to a corporate network, they can not only steal company data and financial information but also employee and potentially customer credentials.
These credentials come with a lot of weight. Due to password reuse and other bad security hygiene, one set of credentials could be used to access nearly all a person’s business and personal applications. The potential fallout is enormous, and for the attacker, the opportunities are endless.
The history of initial access markets is intertwined with the evolution of cybercrime and the underground economy. While exact dates for the emergence of such markets may vary, their development can be traced back to the early days of the internet and the rise of cybercriminal activities. Here's a brief overview:
In the early days of the internet, underground forums and IRC (Internet Relay Chat) channels served as hubs for hackers and cybercriminals to share information, tools, and illicit services. These forums facilitated discussions about hacking techniques, vulnerabilities, and eventually, the buying and selling of access to compromised systems.
With the emergence of exploit kits like Blackhole, Angler, and others, cybercriminals gained the ability to automate the exploitation of vulnerabilities in web browsers and plugins. These kits were often rented out or sold on underground forums, providing attackers with a means to compromise systems en masse.
As law enforcement agencies cracked down on visible underground forums, cybercriminals migrated to the dark web, where they could operate with greater anonymity. Dark web marketplaces like Genesis AlphaBay, Hansa, and others became notorious for hosting a wide range of illegal goods and services, including stolen data, malware, and access to compromised systems.
Over time, specialized markets dedicated to specific aspects of cybercrime emerged. This includes initial access markets, where cybercriminals buy and sell access to compromised systems. These markets often operate similarly to legitimate online marketplaces, with ratings, reviews, and escrow systems to facilitate transactions.
As cybersecurity measures improve and law enforcement agencies intensify their efforts to combat cybercrime, initial access markets and other underground activities continue to evolve. This includes the adoption of encrypted communication channels, cryptocurrency payments, and other tactics to evade detection.
Throughout their history, initial access markets have played a significant role in the cybercrime ecosystem, providing cybercriminals with a convenient means to monetize their activities and enabling sophisticated attacks against individuals, businesses, and organizations.
Read part two of this series to learn about what techniques are used in initial access markets, both before and after sale.
To learn more about initial access markets, watch our webinar deep dive on the topic.
