What is access as a service?
Trend Micro Research analysed a new service offering, called Access as a Service (AaaS), in the undergrounds whereby malicious actors are selling access into business networks. The service is part of the overall cybercrime as a service (CaaS) that comprises many different offerings such as ransomware as a service (RaaS).
AaaS is composed of individuals and groups that use numerous methods to obtain remote access into an organisation’s network. There are three types of AaaS sellers:
- Opportunistic actors who noticed a demand and decided to turn a profit.
- Dedicated sellers—their full-time job is gaining and selling access. They even market their services and leverage their extensive network to make sales.
- Online shops, which typically only guarantee access to a single machine, not a network or corporation.
Groups who specialise in gaining access to networks and then purposely selling it to others are more worrisome as their access is usually solid and ensures their buyers that they can deliver their service. Both types of AaaS actors can be troublesome, but the latter is certainly the group that will trouble more organisations due to the complexity of attributing the initial attacker.
How are credentials obtained?
Most often than not, AaaS brokers sell a set of credentials and a VPN server to connect to. Here are four examples of cyber crime that obtain credentials:
- Data breaches and password hash breaking: When companies or websites lose user lists along with password hashes in a data breach, hackers can crack them to obtain credentials. Even if the credentials come from a retail site, users often reuse their favourite passwords at work. Once the password has been validated, the attacker can access the corporate network.
- Malware logs: Cloud services also made cybercriminals more agile and scalable. By using cloud platforms, attackers can use botnets to spy on an infected user’s internet connections and collect user credentials. These often end up in a malware log, which is then sold to access brokers to increase their credentials stock.
- Vulnerability exploitation: Some AaaS brokers may be skilled enough to leverage exploits to attack servers and obtain user credentials. Common targets include VPN gateways or external web servers.
- Opportunistic hacking: Small-time hackers looking to immediately monetise the obtained network access will tend to sell one-off access to their target’s system. Phishing operators will also sell the credentials they exfiltrate in bulk.
AaaS is part of a developing trend in cybercrime, which is the increased specialisation of services within CaaS and collaboration amongst these groups.
We’re now seeing people and groups specialise in various parts of the attack lifecycle. This means that we’re likely going to see less mistakes made leading to detections, and we should expect multiple groups colonising an infected network.
Thinking from an incident response mentality, this means they will have to identify these different groups completing specific aspects of the overall attack, making it tougher to detect and stop attacks.
AaaS defence strategies
As mentioned earlier, attacks where access was gained and handed off to another group can be trickier to stop due to the change in attacker behaviour. Therefore, it’s crucial for CISOs and security teams to implement a cybersecurity defence strategy that focuses on detecting and preventing the initial access breach.
The earlier you can detect the initial access of an attack, the more likely you can prevent the following components of the attack lifecycle from occurring, like ransomware. Here are other components to consider when creating an effective security strategy:
- Partner with a security vendor that leverages global threat research to constantly monitoring public breaches and the criminal underground. This ensures your solutions are optimised to defend against the latest threats.
- Set up two-factor authentication (2FA) to prevent malicious actors gaining access via leaked credentials.
- Make sure incident response (IR) teams understand the multi-attacker scenario and know where to focus their efforts.
- Apply a SASE architecture as part of a Zero Trust approach to continually verify and monitor users and ensure only those who should be accessing your network are doing so.
- Use a unified cybersecurity platform with XDR capabilities to help consolidate all correlated user activity and data for more visibility.
- Establish a strong patch management strategy to limit the scope of exploits. This should include identifying the most relevant patches, making a zero-day exploit plan, communicating with vendors, and utilising virtual patching.
- Leverage trusted frameworks such as the National Institute of Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA). You can view their collection of updated password guidelines here.
For more insights on examples of cyber crime and how to strengthen your defence strategy, check out the following resources: