Threat Intelligence

    Easy Way In: Initial Access Brokers and Insider Threats

    Initial access brokers — criminals who gain and sell admittance to corporate networks — aid and abet ransomware attacks. Sometimes, they’ve got inside help.

    by Stephanie Overby

    Key Points

    • Initial access brokers (IABs) are criminal groups that sell illegitimate access to corporate networks. 
    • The use of IABs in cyberattacks has surged.
    • By turning to brokers for network access, cybercriminals can focus their efforts on deploying more sophisticated attacks on target companies.
    • IABs themselves gain access via phishing attacks, system vulnerabilities, weak or stolen network credentials, or malicious insiders.

    The first step in any successful cyberattack is gaining access to the target organization’s network. And thanks to a thriving breed of cybercriminals called initial access brokers (IABs), getting in is easier than ever.

    IABs concentrate their efforts on breaking into a target network and then selling that way in, often via underground forums, to other cybercriminals.[1] Call it access-as-a-service — and another example of the kind of specialized offerings available for sale in the ongoing commoditization of cybercrime.

    Because IABs do the hard work of breaking and entering, other bad actors can focus their efforts inside, on distributing malware, deploying ransomware, or otherwise wreaking havoc within a corporate network. With IAB prices for corporate network access ranging from $1,000 and $10,000, it’s a steal for cybercriminals with greater gains in their sights.

    Some cybersecurity experts point to IABs as a key factor in the rise of ransomware attacks, which nearly doubled in 2021.[2],[3] The barrier to entry for profitable cybercriminal exploits has never been lower, with IABs handling the network compromise in parallel with the growing availability of ransomware-as-a-service (pay-per-use malware that can be used to encrypt or steal data in pursuit of a payoff from victim organizations). 

    The Locksmiths of Cybercrime

    Digital Shadows[kl1] , a threat intelligence company that began tracking IABs in 2016, cited an increase in their use by cybercriminals in its 2021 report. IABs were quick to take advantage of often poorly protected virtual private networks or remote access software deployed during the sudden surge of remote working during the COVID-19 pandemic, according to the report. As a result, “we’re now witnessing a ‘perfect storm’: a dramatic increase in remote working and an incredibly successful ransomware monetization model.”[4] 

    There were more IABs, more listings, and higher prices in 2020 than ever before. But, even as remote work decreases, IABs will continue to expand. “Initial access brokers have become a mainstay of cybercriminal activity, and this has coincided with the trend of global cybercrime becoming more streamlined and efficient,” Digital Shadows threat intelligence analyst Chris Morgan said in a published interview.[5] 

    Analysts with Google’s Threat Analysis Group (TAG) called IABs “the opportunistic locksmiths of the security world.”[6] And they make vigorous use of email to find an organization’s weak spot.

    One IAB that Google TAG’s analysts tracked was working closely with a Russian cybercrime gang known for data exfiltration and complex, “human-operated” (vs. automated) ransomware attacks. At the height of the IAB’s observed activities, it was sending some 5,000 emails a day to as many as 650 targeted organizations around the world using tactics like spoofing company domains and employee identities. 

    Initially, this IAB focused on specific industries. including IT, cybersecurity, and healthcare, but it more recently broadened its scope to include “a wide variety of organizations and industries,” according to Google TAG’s analysis.

    When IABs and Malicious Insiders Meet

    The business model for an IAB is relatively straightforward: find vulnerabilities within an organization and sell that access to other ransomware threat actors. IABs may find their way into a network by exploiting a system vulnerability or through a phishing attack. It's also known that the root cause of many ransomware attacks is an initial access through a service that only requires a password. Thus, IABs may take advantage of weak, broken, or stolen network credentials. Or they may buy passwords from a malicious insider.

    Malicious insider activity itself is also widespread and growing. The vast majority (87%) of respondents to Mimecast’s State of Email Security Report survey for 2022 have confronted a threat or leak initiated by malicious insiders in the past year. Remote working and increased employee attrition fueled a 72% year-over-year increase in actionable insider threat incidents in 2021, according to another report.[7]

    Most malicious insider breach activity — 70%, according to one report — is financially motivated, with employees selling their credentials or access to systems and data on the Dark Web.[8] Which brings us back to IABs, who may pay insiders for those passwords.

    Email Protection: Keeping IABs Out and Insiders in Line

    Even as the cyberthreat environment evolves with the rise in IABs and malicious actors, one fact remains constant: Email continues to be a key conduit for cybercriminals seeking to break into a corporate network. So there is still significant room for improvement in fortifying email systems.

    Given the prevalence of the malicious insider threat, implementing systems to protect against them should be a high priority. However, just 44% of respondents to the State of Email Security survey said their companies have systems to monitor and protect against data leaks or exfiltration in outbound email.

    Because IABs can use email as their way in — and malicious insiders can use email to shuttle credentials or data out — the best practice is to deploy multilayered defenses. Email security products like Mimecast’s protect against spear phishing and other tactics that IABs use to steal credentials. They also automatically monitor all internal and outgoing email, with email scanning capabilities to flag, block, or delete emails with suspicious content.

    The Bottom Line

    IABs represent a growing threat that enables cybercriminals to get inside a network quickly and cost effectively, fueling greater volumes of more sophisticated cyberattacks. While IABs can gain entry to corporate networks in a number of ways, one is for malicious insiders to provide these cybercriminals with their credentials. Email continues to be a key avenue for both IAB and insider activity, so investing in multilayered technologies to monitor and shut down suspicious emails is key. Explore Mimecast’s email security options and see how they can help. 


    1 All Access Pass: Five Trends with Initial Access Brokers, KELA

    2 Initial access brokers: How are IABs related to the rise in ransomware attacks?, TechTarget

    3 Ransomware attacks nearly doubled in 2021, Security Magazine

    4 Initial Access Brokers Report: An Excess of Access, Digital Shadows

    5 The Troubling Rise of Initial Access Brokers, Dark Reading

    6 Exposing initial access broker with ties to Conti, Google Threat Analysis Group

    7 2022 Insider Threat Report, DTEX

    8 2021 Data Breach Investigations Report, Verizon



    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page