Access-as-a-service (AaaS), a new business model in the underground world of cybercrime, refers to threat actors selling methods for accessing networks for a one-time fee. We have one group of criminals, referred to as an access broker or initial access broker (IAB), stealing enterprise user credentials to sell to other attack groups. The buyers then use ransomware-as-a-service (RaaS) or malware-as-a-service (MaaS) to exfiltrate confidential data from the targeted enterprise. The service is part of the overall cybercrime-as-a-service (CaaS) trend.
Let us look at a common scenario for AaaS: As soon as the details of a vulnerability are made public, IABs deploy infostealers to acquire keystrokes, session cookies, credentials, screenshots and video recordings, local information, browser history, bookmarks, and clipboard material from the compromised device. Once an infostealer is in place, the remote access Trojan (RAT) begins to log activities and collect data in raw logs. These logs are then manually examined for usernames and passwords that might be monetized and sold on the Dark Web. The credentials that IABs seek include access to virtual private networks (VPNs), remote desktop protocol (RDP), Web applications, and email servers that are instrumental in committing spear phishing and business email compromise (BEC).
Some brokers may have direct contact with system administrators or end users who are willing to sell access to their systems. In recent months, threat groups have actually advertised (on the Dark Web) for administrators and end users who are willing to share credentials for a few minutes in return for large cryptocurrency payments. In some cases, threat groups have asked for employees from specific organizations who are willing to share access for bigger payments.
Countermeasures to Beat IABs
Due to the ease of IABs using infostealers to harvest and sell stolen credentials, developing and using countermeasures is paramount to understanding your risk profile. Open source intelligence (OSINT) can provide a thorough report of what is available for sale on the Dark Web or World Wide Web. Cybersecurity companies can collect this information and provide reports detailing the results.
Here are some examples of potential security holes that OSINT analysis can find, along with an example of a countermeasure that could prevent damage from the information.
- Suspicious domains registered: Take down bogus or fraudulent domains.
- Email addresses leaked: Change email addresses or provide additional information to the owner of the email address.
- Credentials exposed in third-party breaches: Lock accounts or change passwords.
- Executive emails exposed in third-party breaches: Change passwords and warn executives.
- Network exposure on Shodan: Increase the security around infrastructure that’s Internet-facing.
- Information found on Pastebin posts: Secure the sources of the leaked information and analyze how the information was exfiltrated.
- Passwords stolen: Change passwords and warn users.
- Information found on public repositories: Ascertain the source of the information and close vulnerabilities associated with the leaked information.
- Email addresses for social engineering found: Require specialized training around phishing and social engineering for the owners of the email addresses.
- Typo-domain registrations with viruses: Take down the domains.
- Technical information about your network: Ascertain how the information was stolen, close any holes found, and then perform a penetration test from the Internet.
- Vulnerabilities on your network: Patch all vulnerabilities ASAP.
- Information about insecure protocols on your network: Remove all insecure protocols ASAP.
- Firewall and hostname information: Configure everything on the network in a way not to show this information.
- Vulnerable software used: Either patch the vulnerable software or discontinue its use if it cannot be secured.
- DNS information: Your network should be configured to never show Internet names and IP addresses, typically by using a proxy server.
- SSH and port information: Ensure the SSH is configured correctly and test the security.
- Outdated and vulnerable SSL information: Ensure all SSL information is removed and upgrade to TLS 1.2 or higher.
The Importance of OSINT
An attacker’s access to the network is often traced back to a succession of events, which cybersecurity professionals must unravel. This is done by asking specific questions, such as: How did attackers enter the network? How did they gain access to the network? What actions did they take once inside that allowed them to gain more access? Currently, misconfigurations in active directories have led to threat actors being able to rapidly elevate credentials, sometimes all the way to domain admin.
OSINT reports detailing this critical information can provide everything needed to build a defense around credential loss and IABs. With the information obtained from the Dark Web, cybersecurity teams can build countermeasures for the loss of credentials or other brand information.
The real risks stem from not knowing about what’s available on the Dark Web. To build a good defense, you must have good intelligence. Threat intelligence is often an overlooked aspect of building cybersecurity layers. While there is no magic layer of defense that removes all risks, OSINT can dramatically reduce the risks associated with this new and innovative type of threat group.