There is increasing demand for the services of initial access brokers (IABs) and credentials in cloud-based cyberattacks.
In its Cloud Threat Report 2021, Lacework explained how cybercriminals are simplifying their job when infiltrating cloud service providers.
According to the cloud security firm, they’ve observed a few trends in cloud-based cyberattacks. One of them is an increase in the number of IABs being deployed in the cloud.
Initial Access Brokers are individuals or groups that have gained access to a target system through weak or stolen credentials and sell it to other cybercriminals. The average price of network access is around $5,400.
There are a number of ransomware groups that are interested in IABs’ services, and other threat actors are also recruiting IABs for their own goals.
According to Lacework, attackers increasing often buy administrator credentials from IABs to perform various attacks.
“What started as one-off marketplace postings continues to escalate as criminals begin to understand and operationalize the utility of access to cloud services above and beyond cryptocurrency mining,” the team says.
The report also investigates the latest TeamTNT criminal activities against cloud services and its botnet, first spotted back in 2020, that is known to install cryptocurrency-mining malware.
According to the report, TeamTNT often exploits exposed Docker APIs and then uses malicious Docker images to infect victims. Attackers also hijack public Docker repositories to host malware.
Lacework’s team also believes that canarytokens.org service is being abused to notify ransomware operators of malware execution on a compromised system.
Other points of interest include the honeypot data that the firm collects, which suggests that various services such as SSH, SQL, Docker, and Redis are most likely to be targeted.
zgrab is commonly used to perform deep dive on Docker APIs scanning for vulnerabilities.
Tor is often employed when attackers target AWS environments.
And the command line interface INFO command is most commonly used to harvest data from targeted Redis systems.