With advertisements for access to compromised victim networks becoming increasingly prevalent across cybercriminal platforms, Digital Shadows has compiled the following glossary of terms to help differentiate between the numerous types of access offerings we have identified across our sources. We will also look into why some access offering features may result in higher asking prices than others.
Full or Partial Network Access
Some of the more common listings on cybercriminal forums offer full or partial access to victim networks. Depending on the extent of the network access, threat actors who compromise systems in this manner will gain the ability to extract, modify, or delete data and configurations, either with full administrator rights or elevated privileges. Some key examples include:
- This is one of the more popular terminologies threat actors adopt to advertise access offerings.
- Although very ambiguous in its use, the term often refers to one of the more specific accesses within this list. The term does not specify the network area to which the threat actor has access or permission levels.
- The terminology is often used as a tactic to avoid providing detailed information about the access that could inadvertently tip off potential victims. It could also demonstrate a threat actor’s lack of knowledge relating to the access itself and might therefore deter potentially interested parties from purchasing the listing.
- “Network access” can also relate to potential vulnerabilities in the software or security mechanisms used to protect a network that could inadvertently provide access to a victim’s system through remote code execution (RCE) activity. Such access may be used to extract confidential information from the victim system, install malicious software, or perform privilege escalation techniques to elevate permissions.
RDP (Remote Desktop Protocol)
- RDP is a proprietary protocol created by Microsoft to enable a graphical interface to remotely connect to another computer over a network, displayed on a separate client device.
- RDP offerings are one of the most popular types of access advertised across the cybercriminal community. Such listings provide threat actors direct remote access to a victim’s system (which is highly desirable), enabling the potential installation or removal of software, altering system settings, and viewing or extracting confidential information.
- The victim system’s permission levels determine the threat actor’s level of accessibility to the network. However, threat actors can offset lower permission levels with the use of privilege escalation techniques.
SSH (Secure Shell) or Reverse Shell
- SSH is a cryptographic network protocol for securely operating network services over an unsecured network. Typical use-cases include remote command-line, login, and remote command execution (RCE); however, any network service can be secured with SSH.
- Reverse SSH is a similar technique that allows threat actors to access systems that are behind a firewall.
- These listings represent another popular type of access. They are highly sought-after due to their wide range of uses. SSH accesses provide adversaries with the ability to perform both remote command line (commands entered in the terminal and executed as if being run on the physical system) and RCE actions on a server, enabling the addition, deletion, and transfer of files, addition and removal of users on the victim system, and escalation of privilege levels.
VPN (Virtual Private Network)
- A VPN enables organizations to provide their employees with access to cloud resources over a secure end-to-end encrypted connection on the organization’s network. This access enables remote working and allows employees to access their company’s network from any destination.
- These listings can be advantageous to a threat actor due to the access they can provide to a victim system in terms of network connectivity and possible access to cloud infrastructure.
- The value of these listings can be limited and depends on the victim system’s permission levels. Nevertheless, VPN access can still be utilized to read or extract an organization’s data, and access shared network resources.
- Vulnerabilities in VPN services can also provide a means for privilege escalation opportunities if additional vulnerabilities are identified in the victim system’s software.
Access to Software-as-a-Service (SaaS) Solutions
Organizations often use multiple software-as-a-service solutions to streamline workflows and provide additional security. Compromising these services can provide threat actors with access to valuable business, client, or user data. It may even allow them to pivot off the service to gain deeper access to the victim’s system. Some key examples include:
CRM (Customer Relationship Management)
- CRM refers to any tool, strategy, or process that helps an organization to analyze and manage past, present, and potential customers and their data.
- This is not a very common access offered in the cybercriminal community, but it can still be seen as valuable, depending on the victim system and their number of clients.
- Access to CRM software could be valuable to a threat actor if it provides access to intellectual property or information about the victim organization’s client list. This access may result in extortion attempts from threat actors or issues with the General Data Protection Regulation (GDPR) legislation, leading to significant reputational and financial damage for the victim organization.
- Like RDP, Citrix Remote PC Access software provides the ability to remotely connect to a network as if you are using a local device (hardwired to the network). This access allows users seamless access to a network from any device they own without installing or loading a VPN.
- Citrix access can be just as valuable as RDP access: Both solutions provide the same level of functionality and access to a victim system. Such access provides threat actors with direct remote access to a victim’s system, enabling potential installation or removal of software (dependent on permission levels), altering system settings, and viewing or extraction confidential data.
- Compromising an organization’s Citrix software would enable a threat actor to access a victim system remotely and assume user permissions or perform privilege escalation mechanisms to elevate their user status and provide greater control over the victim system.
RMM (Remote Monitoring and Management)
- RMM, also known as “network management” or “remote IT management,” is a platform created to help manage IT service providers (MSPs) remotely monitor client endpoints, networks, and computers.
- Threat actors consider this type of access valuable because it provides remote access to IT management software used by victim organizations and can enable the following actions: file transfer, deployment and running of files, uninstalling antivirus services from systems, deployment of firewall rules, and access to domain controllers, file servers and backup devices.
Access to Network Software or Hardware Components
Threat actors often advertise access to components of a network, including hardware and software. Although potentially not as valuable as the full or partial network access listed above, threat actors can often use these accesses for pivoting into internal network infrastructure through other attack vectors. They can help threat actors accomplish various purposes, including credential harvesting, data exfiltration, and malware downloads. The pricing of these accesses varies depending on the level of access to data on the victim system and the permission levels they are assigned. Some key examples include:
- A router facilitates both internal and external connections on a network.
- While the value of this type of access varies depending on the threat actor’s needs, it is typically used in efforts to pivot into internal networking infrastructure through other attack vectors (e.g., malicious downloads, credential harvesting, or DNS hijacking).
- Compromising the router would give a threat actor access to the networking infrastructure and the data sent and received across the network, enabling them to spy on network traffic (providing the potential for credential harvesting), tricking the router into downloading malicious content, DNS hijacking (making users think they are accessing a legitimate version of a website when they are visiting a malicious domain), and incorporating the router into a coordinated Distributed Denial-of-service (DDoS) attack.
- A firewall is a network security system that maintains an access control list (ACL) for the specified network. It monitors incoming and outgoing network traffic to determine if traffic should be blocked or allowed depending on predefined security rules.
- Access to the firewall can be considered valuable. It could allow threat actors to permit malicious network traffic transmission coming into and going out of a victim’s network. This transmission can enable downloads of malicious software from within the network or connections to external resources controlled by the threat actor.
- “Server” is a vague term, just like “network access.” Servers come in all forms, and unless specified by the threat actor, it is hard to gauge what type of server access is being advertised with this generic terminology.
- In the context of access offerings, this type of access most commonly refers to remotely connected databases or file servers accessible to an organization via a VPN.
- These accesses can be considered valuable to a threat actor due to their access to an organization’s data and its internal networks. The extraction of data, transfer of files, or malware deployment are just a few of the possibilities for the threat actor (depending on the permission levels of the victim system).
- Furthermore, threat actors can use the access to identify additional vulnerabilities in connected software/hardware that may enable privilege escalation to gain greater control of the victim system and perform more invasive actions (backup storage destruction or installing additional backdoors).
- If a threat actor refers to “root access” in their offering, this means the threat actor has full control of the server.
FTP (File Transfer Protocol)
- FTP is a well-known network protocol used to transfer files (sending and receiving) over the Internet. However, its use is not widely recommended due to its reliance on clear-text usernames and passwords for authentication purposes.
- As FTP is not widely recommended for use these days, it is highly likely that such an access’s value would be lower. Suppose the access was known to provide connections to other components of a victim system; this access might give a threat actor a gateway into other areas of a victim’s network that could facilitate malicious activity.
Access to web-facing infrastructure
Although network accesses are highly popular among cybercriminals, one other area that is garnering interest is gaining access to organizations’ Internet-facing infrastructure and exploiting the subsequent access to data. Some key examples include:
- A webshell is a malicious script that enables remote access and the execution of commands to escalate and maintain access on an already-compromised web server.
- This access is valuable to a threat actor because the victim web server has already been compromised, and a shell has been installed. This access can be used to remotely perform malicious actions on the server (view or edit files, work with databases, run programs), or escalate privilege levels to gain complete control of the server. This privilege can enable actions such as installing software, extracting data, and altering configuration settings.
- Threat actors can potentially use access to a web server to pivot off into the internal network of a victim system.
AWS (Amazon Web Services) – Cloud Computing
- AWS is a secure cloud services platform that offers computing power, database storage, content delivery, and other functionalities to facilitate business growth and scalability without owning the physical assets.
- This type of access is considered valuable because a victim system might potentially use the infrastructure to store intellectual property or sensitive data (client and customer). AWS might even be used for backup storage services, which could inadvertently provide access to complete infrastructure set-ups for an organization and account details of IT management personnel.
- Using AWS Identity and Access Management (IAM) enables a threat actor to create and manage AWS users and groups for the victim system if they have this type of access, and use permissions to allow and deny their access to AWS resources. This access may allow the installation or removal of software, the creation of additional accounts for malicious activities, and data extraction.
WP (WordPress) Administration Panel
- WordPress is an open-source content management solution that enables effective management of a website without the need to have knowledge of programming.
- This type of access is considered valuable as it provides a threat actor with access to the administration center of a victim’s WP-powered website, enabling the addition or removal of files, installation of programs, and the extraction of a victim’s website data.
- WP access can be used to replace website content with malicious downloads to facilitate credential harvesting, the installation of backdoor software on other systems, and the infiltration of a victim system’s internal networking infrastructure.
- A hosting account is used to store the files and information required to create websites or applications. These accounts are usually assigned by a web hosting provider, who owns servers to enable this capability.
- The value of this access to threat actors is similar to that of the WordPress offerings: It provides access to the administration center of a victim’s website, enabling the addition/removal of files and the alteration/extraction of a victim’s website content.
- These accesses can be used to replace website content with malicious downloads to facilitate credential harvesting, the installation of backdoor software on other systems, and the infiltration of a victim system’s internal networking infrastructure.
- “Dedicated server” means the owner has exclusive access to an entire server, as opposed to shared hosting infrastructure, where a server might be accessible to multiple entities at any given time. These servers help to provide peak performance and reliability to their owner.
- Access to a dedicated server is different from access to a hosting account, as server access can access all websites or applications owned by a victim’s system. In contrast, a hosting account would only give access to a single website or application.
- Compromising a dedicated server would provide a threat actor with access to a physical server that is only available to the server’s owner and could facilitate the deployment of malware, extraction of data from multiple sources, and the ability to infiltrate resources connected to internal infrastructure for lateral movement.
- The C-panel is an online Linux-based GUI control panel designed to simplify website and server management.
- Threat actors could exploit this access to publish websites, manage domains, organize web files, upload files, manipulate and create user accounts.
The privilege level of access is also a significant factor in an access offering. Offerings define the level of control a threat actor will have on a victim system and the types of activities they can perform. Administrator status signifies far greater access to a victim system and can perform actions such as installing or removing software. On the other hand, standard user access might only allow limited access to system files and resources. Some key examples include:
- Domain administrator rights enable a user to edit information in the active directory (AD), alter the configuration of AD servers, and modify any content stored in AD.
- Domain administrator users have full control of a system domain by default and are members of the administration groups on all domain controllers, all domain workstations, and all domain member servers when they join the domain.
- This access represents the highest form of access a threat actor would seek to gain.
- Threat actors can use initial network accesses to pivot into these types of accounts.
- Access to this user group gives threat actors full control of all domain controllers in the domain.
- This privilege level is highly sought after due to its ability to allow the user to perform software and hardware driver installations, alter system settings, and install system updates.
- Accesses with this privilege level are likely to garner higher pricing due to the unrestricted access they provide on the victim system.
Our research across several high-profile cybercriminal forums has revealed that the following networking attributes usually determine the value of an access offering:
- Number of hosts (connected PCs to the network)
- Number of trusts (a secure communication channel between two domains on Windows OS that enables access to additional resources in connected domains)
- Whether the user has tried to escalate privileges or not
- The number of users on the network
Other influential factors include:
- The country origin (Western targets attract a higher price-point and increased interest over other geographical regions)
- Company turnover (higher revenue for a victim organization result in higher prices due to the potential monetary value assigned to the organization’s data and the larger number of clients)
- Type of access (RDP or SSH will likely garner a higher price-point over FTP or firewall due to the ability to provide the adversary to perform a more extensive range of malicious activities and direct access to the internal network. The latter might require an additional attack vector to get the same level of access)
- System permission rights (administrator or domain administrator permission rights will always be significantly more than standard permission rights due to their greater system access and broader applicability. A standard user would require privilege escalation techniques to acquire the relevant permissions to perform additional malicious actions)
The trend for access offerings shows no sign of abating any time soon – it seems that more and more threat actors are pouncing on their popularity.