Learn how hybrid work is fueling ransomware attacks and what to do about it.

Back to blog

Selling access: A primer on initial access brokers

Initial access broker holding a key and virtual lock

Share this article

Access holds the keys to power. Want to get something done in Washington? You have to know the right people who can manipulate the levers of government. Starting a business? It’s critical that you have access to capital and other financial resources. Trying to move up in your career? Networking gives you access to the right opportunities.

Cybercriminals are no different. Getting paid, causing a disruption, or stealing information requires access to top targets at businesses, government entities, and prominent individuals around the world. However, surveilling a target, crafting an attack plan, sending out feelers, and gaining initial access is time consuming – sometimes taking months or even years. As a result, we’ve seen a dramatic rise in initial access brokers, cybercriminals who have managed to build an entire industry around the monetization of network access.

Who are these initial access brokers? What services do they provide? Why are they so successful? Why should you care? Here are the answers to these important questions.

What is an initial access broker?

Initial access brokers are the opportunistic locksmiths of the security world, gaining and selling access to target organizations. Many ransomware-as-a-service (RaaS) offerings allow anyone with a credit card or cryptocurrency account to purchase initial access to a target while skipping the time- and labor-intensive surveillance and scoping process. Threat actors can use this access to hold corporate information and systems for ransom, steal data, deliver a payload, or disrupt operations. This speeds time to market for threat actors to gain access to targeted networks, allowing them to act quickly when opportunities arise.

Why is this trend disturbing?

Initial access brokers open up a whole new market of malicious actors who are as lean and agile as their enterprise targets. A cybercriminal no longer needs to be an expert hacker to infiltrate a multinational corporation or government entity. They just need a credit card or cryptocurrency account. In addition, many hobbyist hackers who gained unauthorized access to networks for sport and preferred not to capitalize on the access they gained can now monetize their efforts without the moral objections. By selling access to the highest bidder, initial access brokers feel isolated from the harm their customers may be spreading and may be more likely to expand their attacks in scale and scope.

What is the market like for initial access?

Surprisingly cheap. According to Kela, initial access brokers sell access for an average of roughly $5,400, but domain admin privileges to networks owned by multinational corporations or high-profile government agencies can command significantly higher prices. Network access sales typically take one to three business days, and companies in the U.S. and the EU are the most common targets. The five most well-known Russian-speaking ransomware operators (LockBit, Avaddon, DarkSide, Conti, and BlackByte) are all known to use initial access brokers.

What high-profile attacks originated with an initial access broker?

A recent cybersecurity incident carried out against Bangkok Airways has been traced to initial access brokers. Access through the airline’s Cisco AnyConnect VPN was offered up for auction in July 2021, and just two months later the company announced it had been the victim of an attack that exposed passenger data to an unauthorized person.

How do initial access brokers enable ransomware attacks?

The anatomy of an initial access broker attack is pretty straightforward:

  1. An initial access broker uses a Highly Evasive Adaptive Threat (HEAT) technique to compromise a poorly defended website. Since the website is already classified as having a good reputation, URL categorization and other filtering defenses do not block or flag the site. This HEAT tactic is classified by the Menlo Labs research team as Legacy URL Reputation Evasion (LURE), which the infamous Lazarus Group recently used.
  2. The compromised website now hosting a malicious PDF appears in search results.
  3. A user clicks the SEO poisoned link and, after multiple HTTP redirects, a malicious first-stage malware payload is downloaded to the endpoint.
  4. The attacker leverages this backdoor access to gather system info.
  5. The initial access broker then sells access to a ransomware threat actor via the dark web.
  6. The ransomware actor delivers a Cobalt Strike payload via the backdoor to spread laterally across the network.
  7. The attacker gains full domain compromise via Active Directory.
  8. The actor deploys ransomware to all connected workstations and devices.

Why are initial access brokers so successful?

The acceleration of digital transformation, modern applications, multi-cloud environments, and remote work have spread threat surfaces, making it impossible for organizations to protect every distributed asset. Malicious actors are able to take advantage of HEAT techniques, vulnerabilities in VPNs, and user behavior to evade traditional detect-and-respond defenses.

HEAT-based attacks bypass traditional web security measures and leverage web browser features to deliver initial payloads or compromise credentials. Typically, the point of detection (if the attack is detected at all) is too late to stop the initial breach. By then, access has likely already been sold to the highest bidder, who is then under pressure to get their investment back.

What can be done to stop these attacks?

The only way to stop these attacks is to prevent the initial access brokers from gaining a foothold into organizations at the initial access points – making a potential breach useless, as if it never happened. This requires a robust protection strategy focused on advanced anti-phishing and Internet isolation capabilities. Isolation provides a virtual air gap in the cloud between the Internet and users’ devices. All content is routed through a Secure Web Gateway (SWG) with isolation capabilities, where it is executed in isolation within the cloud. This prevents all code – whether malicious or not – from executing on endpoints, effectively cutting off any access a malicious actor has to the network and rendering HEAT attacks ineffective.

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.