Darknet Demand for Corporate Network Access Surges by 69%

Experts from Positive Technologies have conducted a study of cyber service marketplaces on the dark web and discovered a surge in interest for access to corporate networks. In the first quarter of 2020, the number of offers to sell such access was 69% higher than in the previous quarter. This trend significantly impacts the security of corporate infrastructure, especially during the mass transition to remote work.

In the fourth quarter of 2019, more than 50 accesses to networks of large companies worldwide were put up for sale on hacker forums (the same number as for all of 2018). By the first quarter of 2020, over 80 accesses were being offered. Most often, access is sold to industrial organizations, service companies, financial institutions, science and education organizations, and IT companies—these sectors account for 58% of all offers combined.

A year or two ago, cybercriminals were mainly interested in access to individual servers, which cost around $20. Since the second half of 2019, there has been growing interest in purchasing access to entire corporate local networks, and deal amounts have increased as well. For example, access to the infrastructure of a company with annual revenue of $500 million or more can now command up to 30% of the potential profit after a successful attack. The average price for privileged access to a local network is currently about $5,000.

Victims now include organizations with annual revenues ranging from hundreds of millions to several billion dollars. Access to U.S. companies is sold most frequently (over a third of all offers), followed by Italy and the United Kingdom (each with 5.2%), Brazil (4.4%), and Germany (3.1%). In the U.S., access is most often sold to service organizations (20%), industrial companies (18%), and government agencies (14%). In Italy, industrial companies (25%) and service organizations (17%) are most targeted, while in the U.K., science and education (25%) and finance (17%) lead. In Germany, 29% of all sold accesses are to IT and service companies.

Buyers of such access are usually other cybercriminals. They purchase access to carry out attacks themselves or to hire experienced hacker teams to escalate privileges within the network and deploy malware on critical infrastructure nodes of the victim company. Ransomware operators were among the first to adopt this scheme.

“We expect that in the near future, large organizations may become targets for low-skilled attackers who have found an easy way to make money,” says Vadim Solovyov, Senior Analyst at Positive Technologies. “During the global quarantine, as companies rapidly shift employees to remote work, hackers will look for any unpatched vulnerabilities on the network perimeter. The larger the company and the higher the privileges obtained, the more profit a criminal can make.”

To avoid such problems, Positive Technologies experts recommend that companies focus on comprehensive infrastructure protection—both at the network perimeter and within the local network. First, ensure that all perimeter services are secured, and that there is sufficient security event monitoring within the local network to detect intruders. Regular retrospective analysis of security events can help identify previously missed cyberattacks and eliminate threats before criminals steal information or disrupt business processes.

Note: Access on the dark web is a collective term that includes any tools and data allowing unauthorized control over a specific remote device or multiple devices. Criminals can gain access to corporate infrastructure in various ways; for example, by exploiting forgotten, unsecured web applications, outdated software, or misconfigured servers with weak administrator passwords.