35: What are Initial Access Brokers?
Audio Cast:
Takeaway Points:
IABs are focused on gaining unauthorised access to networks or more specifically identities
The access is then made available to other threat actors - either via a rental or full purchase model - via “darkweb” market places
They cover the full range of accounts - from standard users, privileged administrators, VPN and remote access
Methods of gaining access, are varied and continually evolve - and will include things like phishing, credential stuffing, mis-configuration exploitation (especially in cloud service provide ecosystems), infostealers and mis-configured APIs security and so on.
As IABs are market-driven the features and capabilities they provide has fast become focused, granular and iterative.
Some common examples include:
Zebra210
RDP and VPN access in the US and EMEA. Used by Conti ransomware group. Leveraged phishing, credential theft, remote service scanning
Exotic Lily
Contractor based IAB. Used by Conti and Diavol ransomware groups. Used fake personas to create spear-phishing attacks.
MagBo Marketplace
Underground marketplace for hacked webshells. Exploited weak authentication methods.
Standard hygiene and behaviour detection controls can help reduce both the likelihood and impact of such attacks.
Dormant and orphan account identification. MFA rollout. Movement to passwordless. Automation/robot checks during login.
Checks for impossible travel. Multi-device to single account login. Admin interface usage.
Use of token and session binding.
End to end monitoring and response mechanisms.
Improved user awareness - especially with respect to phishing.