This blog tells you everything you need to know about what Initial Access Brokers are, how they obtain their access, and how they sell it.
Understanding Initial Access Brokers
Initial Access Brokers are one of the most common threats to organizations that we observe on the dark web. They are cybercriminals that specialize in breaking into networks and establishing a foothold. They then sell this foothold, or “access”, onto other cybercriminals to exploit.
This role, right at the beginning of the “Cyber Kill Chain”, makes Initial Access Brokers a critical part of the cybercriminal ecosystem. Cybercriminal gangs, including many ransomware operators, routinely use Initial Access Brokers so they don’t have to go through the effort of breaking into the network themselves. In return, Initial Access Brokers can generate consistent returns while taking on a relatively low-risk portion of the attack.
In this blog, the first in a two part series, we’ll look at how Initial Access Brokers operate – including real-life examples of Initial Access Brokers we have tracked in the past.
How do Initial Access Brokers gain access to secure networks?
Initial Access Brokers use a number of methods to secure their products – i.e. the access to the organization that they go onto sell. Below are just three of the most common forms of access we observe for sale on dark web forums:
Remote Access
One popular way that Initial Access Brokers gain access is by compromising the virtual private networks (VPN) or remote desktop protocol (RDP) technology that organizations use. Threat actors will go “door to door” to try and exploit VPN vulnerabilities they’ve discovered (for example if a VPN hasn’t been patched with the latest security update), or they scan networks for open RDP ports. This is why it is critical that organizations monitor dark web traffic going to their networks, for signs of cybercriminal reconnaissance.
Compromised User Accounts
Another method we routinely observe on dark web forums is the sale of compromised user accounts. Initial Access Brokers deploy a number of methods to obtain employee accounts, especially those who have administrator or privileged access, including phishing, infostealer malware, or trawling through previous breach data where employee credentials may have been exposed. Sometimes it’s not even that complicated. Remember that, despite vast amounts of education, the password “123456” was still shown to be used more than 4.5 million times in 2023, meaning brute force attacks are still possible.
Webshells
A webshell is a malicious script used by threat actors to manipulate a web server from a remote location. Once the webshell is installed it can be used as a backdoor into the system that has been compromised. This backdoor allows the threat actor to return to the system to launch further attacks, with the ability to execute commands, upload and download files, or create new user accounts. Or in the Initial Access Broker cases we have observed – to sell the access for other cybercriminals to exploit.
How do Initial Access Brokers sell access?
Once they have confirmed access to a network, Initial Access Brokers will advertise details of the target to potential buyers on dark web forums such as XSS, Exploit, and BreachForums. Usually (but not always) the Initial Access Brokers won’t directly name the company, for fear of being detected by cyber threat intelligence teams and authorities. Instead, they allude to the company – or at least the potential payoff from hacking the company – with details like its revenue and industry. The “eBay style post” will often also include the level of access that is available into the organization and network information.
Example of an Initial Access Broker post
The Initial Access Broker will then begin an auction in which they provide three prices labelled “Start”, “Step”, and “Blitz”. This is a common dark web lexicon for auctions. In this case, it indicates that bidding starts at 15 Bitcoin and bids will be placed at increments of 1 Bitcoin. However, if an individual wanted to purchase the access outright they could do so at the “Blitz” price of 20 Bitcoin. The Broker also indicates that he is not interested in buyers with “no reputation”.
Much like eBay, the person who bids the highest amount, or wants to purchase the access outright, will receive the product, which is – in this case – all information they need to carry out an attack on the organization.
Examples of Initial Access Brokers
To demonstrate some of the features we have described above, let’s look at some real life Initial Access Brokers that we have historically tracked on the dark web.
Bl4ckB1rD
Active since July 2021
Active forum accounts XSS, RAMP
As well as being active on the XSS and RAMP forums, Bl4ckB1rD (who also goes by the alias Robinhood) was recently banned from Exploit after a dispute with another threat actor. Bl4ckB1rD specializes in initial access but has recently enhanced their capabilities and started selling exfiltrated databases. Furthermore, the threat actor has developed a ransomware strain using the Go programming language, which they have dubbed Kuiper and started offering under the Ransomware-as-a-Service model.
Examples of key TTPs observed include:
- Selling unauthorized web shell access.
- Selling compromised RDP and VPN credentials.
- Offering to work on percentage of profits.
- Dumping and selling compromised data.
- Operating ransomware.
Examples of targeted industries:
- Governmental entities.
- Finance.
- Public sector.
- Insurance.
- Utilities.
- Transport.
- Manufacturing.
BlueScreen
Active since January 2024
Active forums accounts: Exploit
BlueScreen, a member of the Exploit cybercrime forum, caught the attention of the underground community for offering unauthorized access to the networks of multiple high revenue companies, some having an annual revenue of over US $10 billion. Since the actor joined the forum in January 2024, they have made 23 posts and obtained one positive reputation point. Besides selling access, the actor has also contributed to the “malware” section of the forum, sharing the source code of what appeared to be a loader developed using the Rust programming language.
Examples of key TTPs observed include:
- Selling initial access.
- Sharing source code of malware.
- Maintaining access via compromised RDP credentials.
- Targeting the Active Directory of victims.
- Exploiting Mikrotik devices to obtain access.
- Accepting direct payment or a percentage of profits.
Examples of targeted industries:
- Gambling/Casinos.
el84
Active since January 2023
Active forum accounts: XSS, Exploit, RAMP
Since the threat actor el84 moniker became active in January 2023 they have made more than a hundred posts on each forum and have obtained a significant reputation in the cybercriminal underground, along with positive feedback from buyers. It quickly became clear that el84 is a knowledgeable, financially-motivated Initial Access Broker, who also provides technical advice and guidance to other actors.
Examples of key TTPs observed include:
- Selling unauthorized web shell access.
- Selling information about vulnerabilities allowing remote code execution (RCE).
- Selling compromised VPN credentials.
- Offering to deploy customers’ (aka other cybercriminals) malware on compromised networks.
Examples of targeted industries:
- Governmental entities.
- Law enforcement.
- Aviation.
- Telecommunications.
- Automotive.
- Education.
- Technology.
- Banks.
Identifying Initial Access Brokers
As a key part of the cybercriminal economy of the dark web, it’s important organizations understand what Initial Access Brokers are, how they operate, and where they can be found. The next step – and the subject of our upcoming blog – is how organizations can neutralize Initial Access Brokers that might be targeting them.