Attackers Increasingly Use Initial Access Broker, Stolen Credentials in Cloud-based Cyberattacks

Attackers Increasingly Use Initial Access Broker, Stolen Credentials in Cloud-based Cyberattacks

There is increasing demand for the services of initial access brokers (IABs) and credentials in cloud-based cyberattacks.

In its Cloud Threat Report 2021, Lacework explained how cybercriminals are simplifying their job when infiltrating cloud service providers.

According to the cloud security firm, they’ve observed a few trends in cloud-based cyberattacks. One of them is an increase in the number of IABs being deployed in the cloud.

Initial Access Brokers are individuals or groups that have gained access to a target system through weak or stolen credentials and sell it to other cybercriminals. The average price of network access is around $5,400.

There are a number of ransomware groups that are interested in IABs’ services, and other threat actors are also recruiting IABs for their own goals.

According to Lacework, attackers increasing often buy administrator credentials from IABs to perform various attacks.

“What started as one-off marketplace postings continues to escalate as criminals begin to understand and operationalize the utility of access to cloud services above and beyond cryptocurrency mining,” the team says.

The report also investigates the latest TeamTNT criminal activities against cloud services and its botnet, first spotted back in 2020, that is known to install cryptocurrency-mining malware.

According to the report, TeamTNT often exploits exposed Docker APIs and then uses malicious Docker images to infect victims. Attackers also hijack public Docker repositories to host malware.

Lacework’s team also believes that service is being abused to notify ransomware operators of malware execution on a compromised system.

Other points of interest include the honeypot data that the firm collects, which suggests that various services such as SSH, SQL, Docker, and Redis are most likely to be targeted.

zgrab is commonly used to perform deep dive on Docker APIs scanning for vulnerabilities.

Tor is often employed when attackers target AWS environments.

And the command line interface INFO command is most commonly used to harvest data from targeted Redis systems.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.