[MART] - Daily Diary #515 - The market of Initial Access

[CTAS-MAT]

Hello,

I hope everyone is doing well!

Below is the entry for today.

05/20/2022 - Diary entry #515:

Initial Access refers to the first step of compromise that can leverage attackers remote access to a computer, system, or user accounts. Additionally, it can also refer to a previously found/deployed backdoor, or even an insider. Threat actors gain "Initial Access" using techniques such as social engineering, exploiting vulnerabilities, testing leaked credentials, abuse of trust relationships, and others. Another popular way to get in is to brute-force credentials of exposed services, like VPNs and RDP. Once a valid "initial access" is obtained, threat actors can use it to deploy multiple types of cyberattacks.

For that reason, "initial access" became a whole market on underground cybercrime forums. Nowadays we have cyber-crime gangs specialized in just obtaining valid credentials and selling them to other threat actors. An unskilled threat actor can purchase valid accounts and just launch their attacks. The cyber-crime group Lapsus$, for instance, goes as far as publishing ads in their public channels to hire insiders or anyone that can sell a valid credential for a company or sector they want to target.

To be protected against threat actors that purchase "initial access", it's important for companies to have a way to detect credential brute-forcing, and adopt Multi-Factor Authentication so leaked credentials can't be used. On top of that, it is necessary to implement reasonable security measures such as profiling every device and user trying to connect to their network and network segmentation by adopting a Zero Trust mindset.

Kind Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220520/57975d02/attachment.htm>