Researchers have found that the sale and purchase of unauthorized access to compromised enterprise networks are influenced by location and industry.
IntSights, a Rapid7 company, released new research today that highlights the dark world of network access, with findings showing that underground criminals sell access to organizations for up to $10,000.
“Some cyber-criminals specialize in network compromises and sell the access that they have obtained to third parties, rather than exploiting the networks themselves,” explained the researchers. “By the same token, many criminals that exploit compromised networks — particularly ransomware operators — do not compromise those networks themselves but instead buy their access from other attackers.”
The attackers who buy the information are often lacking in the skills needed to get the information themselves, according to the study. This is often also the reason they are sold.
“In September 2020, Russian-speaking username “hardknocklife” auctioned off remote desktop protocol (RDP) access to a U.S. hospital,” added the researchers. “He mentioned as a selling point that this RDP access yielded patient records, in which he reportedly had no interest.
“US patient records from healthcare organizations are a valuable resource for identity thieves and other fraudsters because they contain dates of birth, social security numbers and other personal details that they can use for fraudulent credit applications and other malicious purposes,” they went on to say. “This seller could have mined or monetized that data himself but lacked interest in doing so, perhaps because he could be more productive as an intruder than a fraudster, or because he lacked the fraud or criminal business skills to do so.”
This information started at the low price of $500 in the auction but put his “buy no” price of $5000 (USD).
IntSights analyzed a sample of 46 sales of network access on underground forums between September 2019 and May 2021. The sample included 30 offerings from Russian-language forums (65%) and 16 offerings from English-language forums (35%).
The researchers found that the average price for the 40 sales was approximately $9640 (USD), and the median price was $3000 (USD). IntSights researchers view the average price of $9640 (USD) as a better indicator of the higher end of the typical price range.
“When ranked in ascending order, the list of these 40 prices only met or exceeded the average of $9,640 USD in the top quartile, or among the 10 highest prices of these 40,” stated the team. “This higher end of the price range began at $10,000 USD, with three offerings at exactly that price.”
On the lower end of the scale, nine were just three figures out of the ten lowest prices. The more expensive offerings have five-figure prices.
“An examination of the higher and lower prices sheds light on the factors that influence pricing,” the research stated. “For example, the single lowest price of $240 was for access to a healthcare organization in Colombia.
“Criminals typically prefer victims in wealthier countries with advanced economies, as they are generally more lucrative. Prices for access to healthcare organizations also trend lower due to the perception that they are easier to compromise.”
The research also shows that even though this tactic predates the COVID-19 pandemic, the “resulting increase in the use of remote access tools and services have given attackers more attack surface to exploit.” This has fueled the marked increase in sales to unauthorized access to networks, with some underground criminal forums dedicating specific sections to this offering.