The cyber criminals selling network access to the highest bidder

The cyber criminals selling network access to the highest bidder

Levi Gundert, SVP of Global Intelligence at Recorded Future , discusses the selling of pay-per-install services on the dark web, including the increase of selling unauthorised access services.

Despite the best efforts of international authorities, the underground economy of cyber criminals has continued to grow and develop over the years. Criminals can purchase everything they need to enact an attack through the dark web, and there are many who specialise in selling on their services.

One of the cornerstones of this illicit market has long been pay-per-install (PPI), where buyers will purchase unauthorised access to a victim’s computer. The service is typically delivered through an automated platform that can provide access to large amounts of compromised machines at once. From here, the buyer will be free to install their malware payloads of choice, such as banking trojans, ransomware, adware and spyware.

Because of the volumes involved, PPI has traditionally been sold as a bulk commodity, with typical prices ranging from $0.05 and $0.20 per infection. Even the most prolific PPI sellers will only be making around $200 a day for their work.

However, recent years have seen a shift away from network access as a low-value, high-volume commodity and towards a new focus on directly selling or auctioning access to one system or network at a time. This model allows sellers to maximise their profits, and we have seen an alarming increase in network access related activity on the dark web as a result.

Shifting values and increasing threats

Whereas the older PPI model tended not to differentiate between the victims it sold access to, the direct model will adjust the price to match the value of the target, with name brand enterprises or governmental agencies for example selling for much higher prices.

One prolific seller Recorded Future investigated, known as Fxmsp Group, commonly secured upwards of $20,000 for access to a single organisation.

We observed a threefold increase in the amount of advertisements for PPI services and direct sales in 2017 alone, and numbers have continued to grow. As well as the total number of sales, the number of unique monitors advertising unauthorised access likewise more than tripled in 2017 and has increased year-over-year ever since.

The trend demonstrates the way the underground economy has continued to develop and mature, with more criminals realising that they can maximise the profits from their illegal skills by selling access onto other threat actors. All signs point to this trend continuing to increase for the foreseeable future.

As a result, both public and private sector organisations should brace themselves for an increased volume of opportunistic and targeted attacks on their networks as more actors try to satiate the growing demand for access to specific networks.

In particular, large, well-known organisations and governmental agencies should be aware that access to their networks is seen as an increasingly lucrative prize to be sold to the highest bidder.

Using threat intelligence to defend against unauthorised access

There are a number of different tactics used to gain unauthorised access to a network, but the four major threats are phishing, credential reuse, web shell placement, and the exploitation of misconfigured or vulnerable software.

Security teams should focus their efforts on these four areas if they hope to prevent their network becoming a hot ticket item on the dark web. Accurate, real-time threat intelligence will give security teams an edge in hardening their defences.

Credential reuse

Reusing credentials across the network greatly increases the chances of attackers gaining access. Good security hygiene such as vigilance in asset management and the removal of internet-facing systems running applications without multi-factor authentication will help to prevent credential reuse.

Security intelligence can also reduce the risk by alerting the security team when breached credential sets appear on the dark web, and this can be integrated into the SOAR (security orchestration, automation and response) workflow to initiate a password reset for any breached credential sets.


Attackers have become increasingly adept at disguising their phishing emails to evade security measures and trick targets into sharing login credentials. For example, an email security appliance could be configured to block specific file attachments but will be unable to block malicious emails with third-party links now commonly used for phishing.

Security intelligence can help teams regain the initiative by flagging new domains likely to be used for phishing, helping to improve email security gateway content inspection and detection in DNS telemetry or web proxy appliance resolution.

Web shell placement

Adversaries typically place web shells on web servers via a software vulnerability or misconfiguration. Web shells often evade web application firewalls (WAF) and enable long-term persistence on one or more web servers, which can be used to exploit information resources or gain unauthorised system access.

Detecting the malicious use of web shells requires the continuous identification of new shells and associated feature assessments, a task greatly aided by accurate security intelligence.

Exploiting a known software vulnerability

Keeping up with software patching is essential to defending the network from intrusion, particularly when a new zero-day vulnerability has been discovered. However, organisations often struggle with prioritising and executing an effective patching process – especially enterprises with large environments.

Security intelligence can provide valuable insight to help prioritise certain patches, as well as giving an early warning of vulnerabilities before they appear on the National Vulnerability Database.

As the underground economy continues to shift towards a greater focus on offering on-demand access to specific, high profile networks, organisations must be prepared to defend against even greater numbers of attackers looking to profit from breaking into their network.

However, by focusing on the four most common attack methods used to infiltrate and gain permanence in the network environment, enterprises will be better placed to keep intruders out. Equipping security teams with real-time threat intelligence will enable them to track the latest movements in the criminal community and prevent network access being sold to the highest bidder.

Copyright Lyonsdown Limited 2021

Top Articles

Double trouble: the rising threat of double-extortion ransomware

Ransomware attackers continue to threaten businesses at an increasing scale, speed and sophistication.

The blurring line between nation-state and cyber-criminals

Russia is widely known to be involved in a plethora of cyber-criminal activity.

XDR: Delivering value where SIEMs fail

Implementing an XDR solution means faster detection, and remediation of cyber incidents

Related Articles

[s2Member-Login login_redirect=”” /]