Research released Tuesday by Lacework found that initial access brokers (IABs) — threat actors who provide network access to other threat groups for a fee — have expanded to cloud accounts.
The researchers report that Amazon Web Services, Google Cloud Platform, and Microsoft Azure administrative accounts have gained popularity in underground marketplaces.
Lacework’s research was based on anonymized data across the Lacework platform from May 2021 to July 2021.
The emergence of IABs took fire toward the end of the first quarter of 2020, when the ransomware landscape began getting exceedingly competitive, said Alec Alvarado, threat intelligence team lead at Digital Shadows. Ransomware affiliates faced pressure from developers to either show results or be cut from the affiliate program, Alvarado said, adding that this pressure created an almost perfect storm for the birth of the access broker landscape.
“IABs play an important role in the ransomware landscape and have likely moved to different channels of advertising their accesses due to XSS, Exploit, and RaidForums banning ransomware activity,” Alvarado said. “They are customer agnostic and will sell to the highest bidder, whether nation-state or cybercriminal. Having the ability to monitor these listings provides defenders an understanding of what to protect and how IABs gain access to their organizations.”
Vishal Jain, co-founder and CTO at Valtix, said that initial access is granted via compromised accounts, that’s why enterprises need to look at identity access management (IAM) roles and configuration gaps.
“Cloud security posture management tools such as Lacework can certainly help here,” Jain said. “Overall, the report is not surprising at all. The pandemic has accelerated the rush to the cloud and cyberattackers go where the money is. Enterprises need layered security to detect and protect against these attacks. Cloud is all about apps and the network is the common ground: every app touches it. Enterprises need cloud-native network security models that can be easily deployed and will adapt to new applications and changes.”
The Lacework researchers also found a new cluster of activity around the Chinese crimeware group the 8220 gang, which they said infected hosts primarily through common cloud services with a customer miner and an internet relay chat (IRC) bot for further attacks and remote control.
They also found that threat actor TeamTNT — which tweets in English and German but whose origin is still unknown — backdoored legitimate Docker images in a supply chain-like attack. Networks running the trusted image were unknowingly infected, according to Lacework.