This report includes information gathered using the Recorded Future ® Platform, dark web sources, and open-source intelligence (OSINT) techniques. This is a high-level summary of the chain of events that enable a ransomware attack. It is intended to provide an overview for cybersecurity professionals with non-technical backgrounds or roles.
Threat actors can gain initial access to networks through infostealer malware infections, initial access brokerage services on dark web and special-access forums, or the purchase of infostealer logs from dark web shops and marketplaces. Other attack vectors, such as phishing, spearphishing, and code injection, are also common on dark web and special-access forums, but their immediate effects are often much less public and visible than the sale of compromised credentials. Using BlackMatter and Conti as examples, we examine the role of credential access in the execution of the attack, from initial access to ransomware deployment. We provide mitigations for credential breaches, infostealer malware infections, and ransomware attacks, as well as our assessment of the future of these tools and the larger ransomware threat landscape.
Threat actors require remote access to compromised networks to conduct successful attacks, such as malware loader deployment, data exfiltration, or espionage campaigns. These compromised access methods, often sold on dark web and special-access forums, are the work of specialized threat actors colloquially referred to as “initial access brokers” (IAB). IABs use several tools and TTPs to obtain such access, including obtaining valid credential pairs and session cookies from the successful deployment of infostealer malware, the purchase of infostealer “logs” or “bots” on dark web shops, credential stuffing, adversary-in-the-middle attacks, phishing, remote desktop protocol (RDP) “brute force guessing”, and more. The most common credential pairs that appear for sale or auction on top-tier dark web and special-access sources, such as Exploit and XSS, are for corporate virtual private networks (VPNs), RDP services, Citrix gateways, web applications and content management systems (CMS), and corporate webmail servers (business email compromise, or BEC). Less common, but more sought-after, are ESXi root and Active Directory (AD) access methods, zero-day and n-day vulnerabilities, code injection points (HTML, SQL), and others. This report will outline the typical process by which an initial access broker obtains compromised access methods and sells them on dark web and special-access sources, and the use of such methods to conduct a successful ransomware attack.
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
C/O David Cahill
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland