As businesses turn to remote access solutions to empower workers during the COVID-19 crisis, trouble seems to be brewing across numerous illegal marketplaces and the Dark Web. Cybercriminals are actively shopping for credentials hoping to access valuable information without raising any alarms.
Credential theft is becoming a big business for cybercriminals looking to drain bank accounts, steal intellectual property or even plant malicious software on target systems. Positive Technologies has discovered a current quarter increase of some 69% in “access for sale” advertisements on illegal marketplaces. That does not bode well for organizations expanding remote access operations.
Positive Technologies’ experts have noted a flood of interest in accessing corporate networks using purchased credentials on illegal marketplaces. The company noted that In Q4 2019 more than 50 access points to the networks of major companies from all over the world were publicly available for sale. In Q1 2020, that number rose to 80. Criminals mostly sell access to industrial companies, professional services companies, finance, science and education and IT (together accounting for 58% of these offers).
“Large companies stand to become a source of easy money for low-skilled hackers. Now that so many employees are working from home, hackers will look for any and all security lapses on the network perimeter,” said Vadim Solovyov, a senior analyst at Positive Technologies. “The larger the hacked company is and the higher the obtained privileges, the more profitable the attack becomes.”
Positive Technologies is also reporting an increase in the price of illegally acquired credentials as some cybercriminals turn to a commission structure to promote their activities. Hackers are offering a commission of up to 30% of the potential profit from a hack of a company’s infrastructure (with annual income exceeding $500 million). The average cost of privileged access to a single local network is now around $5,000, a significant increase from only a year ago.
With so much activity on the Dark Web focused on credentials and access to corporate systems, most cybersecurity folks should be asking themselves a critical question: Are my organizations access credentials for sale on some illegal marketplace?
A troubling question indeed, but even more troubling is the fact that there is really no way to effectively find out. That uncertainty should force cybersecurity professionals to rethink their remote access solutions and implement more stringent policies, along with better security controls. For example, multi-factor authentication can go a long way toward making any stolen credentials useless to cybercriminals. Zero-trust solutions can even go further, limiting remote user access to only authorized users and approved applications. Even so, credential theft still remains a significant problem. Positive Technologies noted that some major companies that have recently become the victims of these crimes have annual incomes running into the hundreds of millions or even billions of dollars, making them very lucrative targets for cybercriminals.
For cybercriminals, the primary targets are U.S. companies, which comprise more than one-third of all attacks, followed by Italy and the UK (5.2% each), Brazil (4.4%) and Germany (3.1%). In most cases, access to these networks is sold to other Dark Web criminals. They either develop an attack on business systems themselves or hire a team of more skilled hackers to escalate network privileges and infect critical hosts in the victim’s infrastructure with malware. Ransomware operators were among the first to use this scheme.
“To stay safe, companies should ensure comprehensive infrastructure protection, both on the network perimeter and within the local network,” Solovyov added. “Make sure that all services on the perimeter are protected and security events on the local network are properly monitored to detect intruders in time. Regular retrospective analysis of security events allows teams to discover previously undetected attacks and address threats before criminals can steal data or disrupt business processes.”