Understanding Initial Access and the rise of Initial Access Brokers

The first step in a cyberattack is often its most pivotal and ironically, the most underestimated. Known as "Initial Access" this phase marks the adversary's first entry into a victim's network, system, or environment. It serves as the launchpad for the entire attack chain, enabling threat actors to exploit vulnerabilities, steal data, or disrupt operations. Think of it as the attacker's "foot in the door" - once inside, they can escalate privileges, move laterally across systems, and execute their objectives with devastating precision. In today’s interconnected digital ecosystem, initial access techniques are critical, whether in IT systems, ICS/OT environments, cloud platforms, SaaS applications, IoT devices, or endpoints. The success of a cyberattack often depends on breaching that single point of entry within the broader ecosystem.

Enter the Initial Access Brokers (IABs), the shadowy enablers behind many of today’s most devastating cyberattacks. These are specialized threat actors who don’t deploy malware themselves but instead focus on breaching systems and selling access. Using phishing campaigns, credential theft, or exploiting unpatched vulnerabilities, IABs infiltrate networks and then auction off their access on underground forums and dark web marketplaces. Their buyers? Often ransomware operators, nation-state groups, or cyber extortion gangs. By commoditizing the first stage of an attack, IABs have transformed the cybercrime ecosystem, making attacks faster, more scalable, and alarmingly efficient, all while staying one step removed from the mayhem that follows.

Role of Initial access brokers

Initial Access Brokers serve as the gate keeper of cybercrime by breaching networks through methods like phishing, brute-force attacks, and exploitation of unpatched vulnerabilities. They offer various types of access including RDP, VPN, Active Directory, and even server root credentials which are then sold on underground markets or passed directly to ransomware affiliates. Their pricing is influenced by several factors: the size and industry of the target, the level of access provided, the company's annual revenue, and the complexity of the breach. In many cases, IABs have ongoing relationships with Ransomware-as-a-Service (RaaS) operators, eliminating the need to advertise on public forums and allowing them to operate under the radar. This partnership accelerates ransomware deployments by allowing affiliates to skip the initial intrusion phase and immediately launch attacks, making IABs essential players in modern cybercriminal supply chains.

Why are Cybercriminals shifting toward the Initial Access Broker model?

Skillset specialization  
Cybercriminals shifting to the Initial Access Broker (IAB) model are often highly skilled in breaching systems but may lack expertise or interest in conducting full-scale attacks. The IAB approach allows them to focus on what they do best: gaining access to networks using tactics like phishing, brute-force attacks, token hijacking, and MFA bypasses. Instead of wasting time or increasing detection risk by handling post-compromise stages such as lateral movement or ransomware deployment, these actors concentrate solely on initial access. This specialization not only boosts efficiency but also fosters innovation in early-stage intrusion techniques, contributing to more sophisticated and evasive attacks over time.  

Lower risk exposure  
Beyond leveraging their strengths, many cybercriminals prefer the IAB model because it minimizes exposure and legal risk. Selling access to ransomware groups or other malicious actors shifts the burden of high-risk operations to the buyer. While they may not earn, the massive payoffs associated with full-scale ransomware campaigns, IABs benefit from a consistent and sustainable revenue stream. Their activities form the foundation of the cybercrime-as-a-service ecosystem.

How Initial Access Brokers advertise access for sale

Access Type: Specifies the nature of the compromised entry point, most commonly Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) credentials.
‍Target Sector: Indicates the business vertical of the compromised entity, with Finance, Retail, and Manufacturing being the most frequently affected industries.
‍Privilege Level: Defines the extent of system access acquired, ranging from standard user credentials to administrator rights.
‍Company Revenue: Estimates the financial scale of the victim organization, often sourced from publicly available U.S.-based corporate databases.
‍Host Exposure: Highlights the number of compromised machines, occasionally detailing installed security solutions or endpoint protection tools.
‍Opening Bid (STAR): Refers to the initial asking price for access, typically set to attract competitive offers.
‍Bid Increment (STEP): Denotes the minimum increase required for each new bid during the auction process.
‍Instant Purchase (Blitz): Lists the fixed "buy now" price, allowing buyers to immediately acquire access without participating in the bidding war.  

Top Vulnerabilities exploited by Initial Access Brokers (2024-2025)

CVE-2025-31324
Unrestricted File Upload Vulnerability in the SAP NetWeaver enables an unauthenticated agent to upload potentially malicious executable binaries.
‍Comments: Attackers have been observed uploading JSP webshells to execute arbitrary commands. Tools like Brute Ratel and techniques such as Heaven's Gate have been used to establish command and control, suggesting involvement of IABs.  

CVE-2024-1708 and CVE-2024-1709
Path Traversal and Authentication Bypass vulnerabilities in ConnectWise ScreenConnect allow attackers to reset administrative credentials and gain unauthorized access.  
‍Comments: Exploited by ransomware groups like Play and Black Basta, with IABs using them to sell access to compromised systems.

CVE-2024-12356 and CVE-2024-12686
Command Injection Vulnerabilities in BeyondTrust's Remote Support solutions allow unauthenticated attackers to execute arbitrary commands  
‍Comments: These flaws were exploited in attacks on the U.S. Treasury Department, with IABs likely playing a role in providing access to compromised systems.  

CVE-2024-21762
An Out-Of-Bounds Write Vulnerability in the Fortinet FortiOS SSL VPN allows unauthenticated attackers to execute arbitrary code  
‍Comments: Advanced threat actors, including Volt Typhoon, have exploited this flaw to deploy custom malware, with IABs potentially facilitating initial access.

CVE-2024-21887 and CVE-2024-21893
Multiple vulnerabilities in Ivanti's VPN products allow attackers to bypass authentication and execute arbitrary code.
‍Comments: State-sponsored groups like UNC5325 have exploited these flaws to deploy malware and maintain persistent access, with IABs potentially facilitating the initial breaches.

CVE-2024-50623 and CVE-2024-55956
Unrestricted File Upload Vulnerabilities in Cleo Managed File Transfer software enable remote code execution.  
‍Comments: Threat actors, including Cl0P ransomware, have exploited these flaws to implant backdoors and exfiltrate data, facilitated by IABs providing initial access.

Notable Initial Access Brokers operating in present threat landscape
Several initial access brokers have made a name for themselves in the cybercriminal underground by consistently offering access to high-value networks. Here are few mentioned below:  

Sheriff
‍Sheriff is a well-known IAB active in the Russian-speaking cybercriminal underground. Known for leveraging brute-force techniques and credential-stealing malware, Sheriff infiltrated corporate networks and monetized that initial access by selling it to ransomware operators. One of Sheriff's most notable partnerships has been with the infamous REvil(Sodinokibi) ransomware group. This collaboration streamlines ransomware deployment, as REvil affiliates can skip the reconnaissance and intrusion phase, jumping straight into data encryption and exfiltration. The relationship is symbiotic; REvil gets ready-made access, and Sheriff benefits financially while remaining largely under the radar.  

drumrlu
Also known as 3lv4n, this IAB has been active on underground forums since at least May 2020. They are particularly known for selling domain access and sensitive databases belonging to a wide array of industries and countries. Targets have included organizations in the United States, Australia, France, Italy, Pakistan, Saudi Arabia, and more, covering sectors such as education, insurance, healthcare, government, and cryptocurrency. drumrlu has also been linked to the Thanos Ransomware-as-a-Service (RaaS) operation, where access sold by the broker has reportedly been used in full-scale ransomware attacks.

Wazawaka
Wazawaka is a high-profile IAB and cybercriminal personality known for his flamboyant presence on Russian-language forums like Exploit and XSS. Often making bold claims and taunting law enforcement, Wazawaka has been associated with the sale of network access to large enterprises, primarily in the U.S. and Europe. Security researchers have linked him to ransomware groups such as Conti and REvil, either directly or through affiliates. Wazawaka reportedly used phishing campaigns and exposed RDP services to gain access, which he then monetized by selling to ransomware operators eager for a quick foothold.

Babam
This IAB is known for offering corporate access primarily to RDP and VPN credentials on underground marketplaces. Babam has targeted companies across various sectors, including finance, healthcare, and manufacturing. Their listings often include detailed information such as company revenue, employee count, and geographic location, which suggests a highly professional and targeted approach. Researchers have observed Babam's access being purchased by ransomware groups including NetWalker and DarkSide, making them a vital link to the ransomware supply chain.  

Exotic Lily
Identified by Google's Threat Analysis Group (TAG), it is a sophisticated IAB that operated between late 2021 and early 2022. Unlike traditional IABs who rely on brute force, Exotic Lily used spear-phishing with fake business personas and spoofed domains to infiltrate corporate networks. Their operations were so advanced and methodical that they blurred the line between traditional cybercrime and the kind of high-level tactics typically seen in state-sponsored espionage campaigns.

Top strategies to thwart Initial Access Brokers

Initial Access Brokers (IABs) specialize in infiltrating enterprise networks and selling footholds to other threat actors. To disrupt this attack chain, organizations must adopt a proactive, layered defense strategy. Below are four technical measures that can significantly reduce your exposure to IAB activities:  

Enforce Least Privilege Access (LPA)
Minimize the blast radius of credential compromise by enforcing strict least privilege policies across user and system accounts. Ensure users operate with only the permissions required for their specific roles. Avoid granting local admin rights or broad domain access to standard users. Implement Role-Based Access Control (RBAC) and regularly audit privilege creep using tools like Microsoft LAPS, Group Policy analytics, or Privileged Access Management (PAM) solutions. Reducing privilege levels hinders lateral movement, credential harvesting, and privilege escalation post-intrusion.  

Adopt Strong, Phishing resistant MFA
While traditional Multi-Factor Authentication (MFA) can mitigate credential-based attacks, its effectiveness is weakened by techniques such as push fatigue, SIM swapping, and OTP phishing. Transition to FIDO2-based authentication, which leverages public key cryptography and hardware-backed authenticators, eliminates shared secrets and central authentication databases, effectively neutralizing common MFA bypass methods.

Eliminate Unnecessary Remote Access (VPN/RDP)
Avoid exposing internal networks through broadly accessible Remote Desktop Protocol (RDP) or VPNs—particularly for non-essential personnel or unmanaged devices. Segment your network and provide granular, auditable access using zero-trust principles or application-layer gateways. Technologies like Software-Defined Perimeter (SDP) or Privileged Session Management (PSM) allow fine-grained access to internal systems without exposing the full network, reducing the attack surface exploited by IABs in many breaches.

Audit and Eliminate Dormant, Orphaned, and Default Accounts
Unmonitored and inactive accounts offer IABs stealthy entry points that often go undetected. These include:

• Dormant accounts (inactive for long periods)
• Orphaned accounts (linked to former employees or decommissioned systems)
• Default credentials (left unchanged post-deployment)

Use identity governance tools to continuously discover and manage these accounts. Disable unused accounts and enforce MFA enrollment policies across the board. Attackers often target dormant accounts not enrolled in MFA, leveraging credential stuffing and tricking systems into letting them self-enroll a second factor gaining fully valid, MFA-protected access without raising alarms.

Monetizing Access, Globalizing Risk
In essence, the rise of Initial Access Brokers underscores a fundamental shift in the cybercrime economy - where access to corporate networks has become a tradable commodity, fueling the expansion of ransomware operations. As the IAB marketplace matures, it not only lowers the barrier to entry for threat actors but also fuels a global, opportunistic model of targeting, where industry and geography are secondary to profitability. This commoditization of access means that any organization, regardless of sector, can find itself in the crosshairs. To defend effectively, organizations must go beyond reactive security and invest in understanding adversary behavior, monitoring the signs of compromise, and hardening initial access vectors before their networks are sold to the highest bidder. The real danger lies not just in being breached, but in remaining unaware that your network is already for sale on underground markets.

External References:

1. ‍https://cyberint.com/blog/research/a-deep-dive-into-initial-access-brokers-trends-statistics-tactics-and-more/
2. ‍https://arcticwolf.com/resources/glossary/what-are-initial-access-brokers/
3. ‍https://www.cisecurity.org/insights/blog/initial-access-brokers-how-theyre-changing-cybercrime
4. ‍https://outpost24.com/blog/use-of-initial-access-brokers-by-ransomware-groups/
5. ‍https://socradar.io/the-rise-of-initial-access-brokers-on-the-dark-web/
6. ‍https://www.techtarget.com/searchsecurity/tip/What-role-does-an-initial-access-broker-play-in-the-RaaS-model
7. ‍https://www.beyondtrust.com/blog/entry/what-are-initial-access-brokers
8. ‍https://cyble.com/blog/the-role-of-initial-access-in-the-ecology-of-cybercrime/
9. ‍https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
10. ‍https://www.cybereason.com/blog/how-do-initial-access-brokers-enable-ransomware-attacks
11. ‍https://reliaquest.com/blog/rise-of-initial-access-brokers/
12. ‍https://www.sentinelone.com/blog/more-evil-markets-how-its-never-been-easier-to-buy-initial-access-to-compromised-networks/
13. ‍https://www.menlosecurity.com/blog/selling-access-a-primer-on-initial-access-brokers
14. ‍https://www.securitymagazine.com/articles/98405-initial-access-brokers-the-new-face-of-organized-cybercrime
15. ‍https://www.bleepingcomputer.com/news/security/the-initial-access-broker-economy-a-deep-dive-into-dark-web-hacking-forums/