Types of Cyber Crime Groups: Access as a Service
Jon Clay, VP of Threat Intelligence at Trend Micro, explores the latest Trend Micro Research covering one of the types of cyber crime groups, Access as a Service (AaaS), an emerging business model selling all-access passes to other malicious actors.
The adage “teamwork makes dreamwork” extends to cybercriminals as well. To launch more successful cyberattacks, malicious actors with different specialized skills have conglomerated to form Cybercrime as a Service (CaaS).
Within CaaS there are various types of cyber crime groups, including Ransomware as a Service (RaaS) and most recently, Access as a Service (AaaS).
Identifying commonly used tactics, techniques, and procedures (TTPs) of well-known AaaS groups can help CISOs and security leaders strengthen their cybersecurity strategy and minimize risk.
What is access as a service?
Trend Micro Research analyzed a new service offering, called Access as a Service (AaaS), in the undergrounds whereby malicious actors are selling access into business networks. The service is part of the overall cybercrime as a service (CaaS) that comprises many different offerings such as ransomware as a service (RaaS).
AaaS is composed of individuals and groups that use numerous methods to obtain remote access into an organization’s network. There are three types of AaaS sellers:
- Opportunistic actors who noticed a demand and decided to turn a profit.
- Dedicated sellers—their full-time job is gaining and selling access. They even market their services and leverage their extensive network to make sales.
- Online shops, which typically only guarantee access to a single machine, not a network or corporation.
Groups who specialize in gaining access to networks and then purposely selling it to others are more worrisome as their access is usually solid and ensures their buyers that they can deliver their service. Both types of AaaS actors can be troublesome, but the latter is certainly the group that will trouble more organizations due to the complexity of attributing the initial attacker.
How are credentials obtained?
Most often than not, AaaS brokers sell a set of credentials and a VPN server to connect to. There are four types of cyber crime that obtain credentials:
- Data breaches and password hash breaking: When companies or websites lose user lists along with password hashes in a data breach, hackers can crack them to obtain credentials. Even if the credentials come from a retail site, users often reuse their favorite passwords at work. Once the password has been validated, the attacker can access the corporate network.
- Malware logs: Cloud services also made cybercriminals more agile and scalable. By using cloud platforms, attackers can use botnets to spy on an infected user’s internet connections and collect user credentials. These often end up in a malware log, which is then sold to access brokers to increase their credentials stock.
- Vulnerability exploitation: Some AaaS brokers may be skilled enough to leverage exploits to attack servers and obtain user credentials. Common targets include VPN gateways or external web servers.
- Opportunistic hacking: Small-time hackers looking to immediately monetize the obtained network access will tend to sell one-off access to their target’s system. Phishing operators will also sell the credentials they exfiltrate in bulk.
AaaS is part of a developing trend in cybercrime, which is the increased specialization of services within CaaS and collaboration among these types of cyber crime groups.
We’re now seeing people and groups specialize in various parts of the attack lifecycle. This means that we’re likely going to see less mistakes made leading to detections, and we should expect multiple groups colonizing an infected network.
Thinking from an incident response mentality, this means they will have to identify these different groups completing specific aspects of the overall attack, making it tougher to detect and stop attacks.
AaaS defense strategies
As mentioned earlier, attacks where access was gained and handed off to another type of cyber crime group can be trickier to stop due to the change in attacker behavior. Therefore, it’s crucial for CISOs and security teams to implement a cybersecurity defense strategy that focuses on detecting and preventing the initial access breach.
The earlier you can detect the initial access of an attack, the more likely you can prevent the following components of the attack lifecycle from occurring, like ransomware. Here are other components to consider when creating an effective security strategy:
- Partner with a security vendor that leverages global threat research to constantly monitoring public breaches and the criminal underground. This ensures your solutions are optimized to defend against the latest threats.
- Set up two-factor authentication (2FA) to prevent malicious actors gaining access via leaked credentials.
- Make sure incident response (IR) teams understand the multi-attacker scenario and know where to focus their efforts.
- Apply a SASE architecture as part of a Zero Trust approach by using a with o continually verify and monitor users to ensure only those who should be accessing your network are doing so.
- Use a unified cybersecurity platform with XDR capabilities to help consolidate all correlated user activity and data for more visibility.
- Establish a strong patch management strategy to limit the scope of exploits. This should include identifying the most relevant patches, making a zero-day exploit plan, communicating with vendors, and utilizing virtual patching.
- Leverage trusted frameworks such as the National Institute of Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA). You can view their collection of updated password guidelines here.
For more insights into types of cyber crime groups and how to strengthen your defense strategy, check out the following resources: