On April 27, 2020, it became known that Positive Technologies experts conducted a study of trading platforms in the shadow market of cyber services and found a surge of interest in access to the corporate network: in the first quarter of 2020, the number of offers for the sale of access is 69% higher than in the previous quarter. The revealed trend significantly affects the security of the corporate infrastructure during the period of mass transfer of employees to remote work.

As reported, in the fourth quarter of 2019, more than 50 accesses to the networks of large companies from around the world were put up for sale on hacker forums (the same number was counted for the whole of 2018), and already in the first quarter of 2020, more than 80 accesses were on sale. Most often, access to industrial organizations, companies from the service sector, finance, science and education, and information technology are sold (all these are 58% of the offers in aggregate).

The number of new branches on shadow forums dedicated to access to corporate networks

If a year or two ago, attackers were mainly interested in access to single servers that cost within $ 20, then since the second half of 2019 there has been an increase in interest in buying access to local networks of companies. Transaction amounts have also increased. For example, in April 2020, companies with an annual income of $ 500 million offer a share of up to 30% of the potential profit after the attack is completed for access to the infrastructure. The average cost of privileged access to a local network is now about $ 5,000.

Distribution of hacked organizations by industry

The number of victims as of April 2020 includes organizations with annual revenues ranging from hundreds of millions to several billion dollars. Accesses to companies from the USA are most often sold (more than a third of all offers), Italy and the UK are also in the top five (5.2% of offers each), Brazil (4.4%), Germany (3.1%). At the same time, in the case of the United States, access to service organizations (20%), industrial companies (18%) and government agencies (14%) are most often sold. In Italy, industry (25%) and the service sector (17%) are the leaders in demand, while in the UK ― the sphere of science and education (25%) and the financial industry (17%). 29% of all accesses sold to German companies are in the IT and service sectors.

Geography of hacked companies

Usually the buyers of such goods are other intruders. They acquire access to develop an attack on their own or hire an experienced team of hackers to increase privileges on the network and place malicious files on critical infrastructure nodes of the victim company. Cryptographic operators were among the first to adopt such a scheme

We expect that in the near future large organizations may be targeted by low-skilled violators who have found a way to earn easy money. During the global quarantine period, when companies massively transfer employees to remote work, hackers will look for any uncovered breach in the systems on the perimeter of the network. The larger the company that will be able to access the network, and the higher the privileges received, the more the criminal will be able to earn.

In order to avoid problems, Positive Technologies experts recommend companies to pay attention to comprehensive infrastructure protection — both on the network perimeter and in the local network. First of all, you should make sure that all services on the perimeter of the network are protected, and a sufficient level of security event monitoring is provided in the local network to identify the intruder. Regular retrospective analysis of security events will allow you to detect previously missed cyber attacks and eliminate the threat before attackers steal information or stop business processes.