The asking price is considerably more expensive than most IAB posts, but the potential payout for attackers is also huge

On August 9, an initial access broker (IAB)on a popular Russian-language forum posted that they are selling access to the entire network of a “central bank.” The actor claims to have access to the domain authority for around 10,000 machines, which they note use Symantec EDR. The actor adds that this includes access to and over 4 TB of internal data, including  shared network folders and database.

While the actor declines to name the bank in question, they note it possesses assets valued “in the billions,” and that the access is “perfect [to] rob Swift.”

The actor is selling access for $500,000 to reputable forum members.

Initial access brokers (IABs) are actors that sell access (generally in auctions) to companies on underground forums. They are generally advanced actors that specialize in this critical step, and anyone can purchase access and abuse it to deploy ransomware, siphon system resources, harvest confidential information, and assume control of logged-in accounts.

According to research by Kaspersky, it appears that the largest determining factor in the pricing is the company revenue. Indeed, considering that ransomware operators are known to set ransom demands with company revenue (an average of 2.82% of a victim’s annual revenue, according to Check Point), it makes sense that the cost of access correlates with the potential payout.

In a random sample of 175 IAB auctions in 2021, we discovered that the purchase price varied from $50-$30,000 with a median of $700. Thus, $500,000 constitutes an extremely high asking price. However, considering that an attacker can use this access not only to attack the bank but to rob SWIFT, this steep initial investment might pay off handsomely.

Indeed, the reference to SWIFT is resonant of an attack from 2016, in which hackers, allegedly North Korean state actors, breached Bangladesh Bank and issued fraudulent money transfer orders to the US central bank. The attackers stole $81 million in this massive heist. The initial access broker is undoubtedly aware of the earlier attack and therefore, the potential payout.

In general, the dark web is not a crystal ball. Actors very rarely give explicit details about their intent, such as specific attacks that they are about to commit, and capabilities, such as the tactics, techniques, and procedures that they intend to employ.

 

However, listings for sale from IABs are different; because the posts are written to attract buyers, they include details that allow us to understand which entity is compromised and how the story will play out.

This post just might signify the opening salvo in tomorrow’s headline. Any institution fitting the description of the organization in the post ought to investigate if they are compromised before it’s too late.