According to information security company KELA, in September 2020 on hacker forums tripled number of ads advertising the sale of access to hacked networks of various companies (compared to the previous month).
KELA experts write that they indexed 108 ads posted on popular hacker forums, and calculated that the total cost of the accesses offered by hackers is $ 505,000. Moreover, about a quarter of the lots were eventually sold to cybercriminals wishing to attack certain companies.
Previously, such ads usually offered to buy RDP access, and similar services were offered by botnet operators selling access to their bots. Much has changed in the summer of 2019, however, with the discovery of many vulnerabilities in networking products, including Pulse Secure and Fortinet VPN solutions, Citrix network gateways, Zoho products, and more. Attackers began to actively attack these vulnerabilities, and many groups began to monetize these attacks by selling the gained access on popular hack forums like XSS, Exploit, or RAID.
KELA analysts write that compromised network devices are only part of the problem. Also, criminals still trade in access to compromised RDP or VNC endpoints. Most often, compromise occurs using a simple brute force, which is used by IoT botnets. It is also not uncommon for the original RDP access to be bought from other criminals, expanded to the user or administrator level, and then resold at higher prices.
According to analysts, the average price of access to a compromised network is approximately $ 4,960, and in general, the price range ranges from $ 25 to $ 102,000. Obviously, networks with a compromised administrator account are valued more than networks where a compromised account has only basic user rights. However, even this is suitable for some hackers, because sometimes attackers are looking for only an initial "entry point", having their own capabilities to expand access.
Also, the price of access largely depends on the "value" of the company, and not the size of its network. In their ads, hackers often indicate the company's annual income, rather than the number of endpoints. The fact is that the target audience of such advertising is often ransomware operators, for whom the victim's annual income and profit are important for determining the ransom amount. The size of the network is less important for such hackers, since the ransomware can cause huge damage to the company without even blocking thousands of computers.
Among the most expensive ads published in September were ads for access to the network of a large maritime and shipbuilding company (sold for $ 102,000), a Russian bank ($ 20,000), a Turkish aviation company ($ 16,000), and a Canadian franchise firm (10 600 dollars).
At the same time, KELA analysts emphasize that the hacker forums they track are just the tip of the iceberg, giving only a general idea of this segment of the black market, which is actually much larger.