Shadow Building // Offers of access to corporate networks flooded the black market

The number of ads on shadow forums for the sale of access to corporate networks doubled in the first quarter, and increased sevenfold by the end of 2020. At the same time, access is getting cheaper, and they remain the most expensive for industrial companies and financial organizations. In general, we are talking more about an excess of supply, the interest of end customers in access to Russian corporate networks has not grown, experts say. But the market was flooded with low-skilled players, creating a special category of “access earners”.

The number of ads for the sale of access to corporate networks in the first quarter more than doubled compared to the fourth quarter of 2020 (590 new ads versus 255), according to a study by Positive Technologies. In 2020, the number of ads for the sale of access increased seven times compared to 2019, the company calculated. They analyzed ten popular shadow forums, including seven Russian-speaking.

According to the research, access to corporate networks of organizations is sold quarterly for the amount of about $ 600 thousand, and over the past four years the share of access cost from $ 5 thousand has halved.

The most expensive are access to industrial companies and financial organizations, but over the past year their share has decreased from 16% to 14% and from 11% to 6%, respectively. The three most popular accesses included the services, industry, science and education sectors.

The dynamics is due to the fact that the access market is filled with low-skilled players, the study says. Attackers have a new specialization – “access miners”, which can be newcomers. They gain initial access to the company’s network for sale in the shadow market. The previously existing situation, when a hacker could get inside and then abandon the process halfway through, is almost impossible today, because the results of an attack can be sold at any stage, says Alexander Konovalov, CTO of Varonis.

How Passwordstate password manager data leaked to the network

The pandemic has fueled interest in selling access to corporate networks, as they have become more vulnerable, explains Daria Koshkina, an analyst at Rostelecom-Solar. The growth of offers correlates with the increased volumes of fraud aimed at obtaining corporate accounts, said Alexander Chernykhov, a leading expert in the field of information security of the Krok company.

Although business consciously began investing in the protection of remote access in the pandemic, the percentage of those investing in information security is still very small, says Anton Ponomarev, director of ESET’s corporate business department.

The spheres of education and medicine respond the longest to changes due to the lack of qualified IT personnel and a complex procurement system, he notes.

Moreover, such institutions are “a storehouse of data that can be profitably sold”, they store the personal information of students, scientific papers, assignments for exams, says Mr. Ponomarev.

In 2020, more than 20% of Russian companies reduced their information security budget

An additional risk factor is a large number of “unverified” people who have access to the internal network, which increases the “attack area” for social engineering, or the ability to recruit one of the employees or students who have access to the infrastructure, says Alexander Konovalov. There is a great demand for employees of certain companies: the shadow market is full of messages about “hiring employees of banks / traffic police / delivery services,” said Doctor Web.

At the same time, access to Russian corporate networks on the black market has never been in great demand, said Ashot Hovhannisyan, founder of the DLBI data leak intelligence service. Russian companies, he explains, almost do not pay ransoms when infected with ransomware viruses, but law enforcement agencies quickly find those who have decided to make money in this way.

Yulia Stepanova

Leave a Reply

Your email address will not be published. Required fields are marked *