I want to start off by saying that there is no way to know that this is legitamet, I wanted to share this with everyone as a cautionary tale and a visual representation of the criminals that sell access to every day small businesses. The alarmingly low price underscores the critical point that even if you think your systems are resiliant and your cybersecurity program is mattured your still only as secure as your weakest link. In this case a potentially compromised supplier.

Screen shot taken from the WWH-CLUB-FORUM post on July 23, 2024

The Offer Details

The listing, dated July 23, 2024, reveals:

• Target: An Iranian company with 1,001-5,000 employees

• Sectors affected: Retail & Distribution, Water Treatment, Wastewater Treatment, Oil, Gas, Petrochemicals, Building and Road Construction

• Access type: RDP (Remote Desktop Protocol)

• Privileges: Local Admin

• Number of compromised hosts: 30+

• Antivirus: Kaspersky (deactivated)

• Price: $250

Why This Matters

The low cost of entry presents a significant threat multiplier. In this case enough information was gathered on the target organization to market the detailes to potential buyers. One might also attribute the low cost to quick turn and burn or potentially a desparation move on the part of the hacker.

Low Barrier to Entry: At $250, this access is within reach of a wide range of malicious actors, from amateur hackers to state-sponsored groups.

High-Value Target: The compromised company's involvement in water treatment, oil and gas, and construction makes it a prime target for sabotage or espionage.

Potential for Cascading Failures: Given the interconnected nature of critical infrastructure, a breach could have far-reaching consequences beyond the initial target.

Deactivated Security: The listing indicates that Kaspersky antivirus is deactivated, suggesting other security measures may also be compromised.

Immediate Action Items for Professionals

This event serves as a reminder that regular testing of access, RDP, VPN, and other systems is crucial, not just during the annual pen test. To enhance your security posture, it's essential to regularly review the level of access provided to third-party vendors. This includes scrutinizing the level of access they need and ensuring it's limited to what they require, when they require it.

Implementing proper Identity Access Management (IAM) is also critical. IAM helps restrict access to specific times and scopes, minimizing the attack surface. By doing so, you can reduce the risk of unauthorized access and limit the damage in case of a breach.

Open conversations with the business teams you support are vital in staying informed about potential security concerns. Regular discussions with Finance, Contracts, HR, and Operations teams can provide valuable insights into new projects or contractors that may require additional access. These conversations can also help you stay ahead of potential security risks and identify areas that need improvement.

Furthermore, it's essential to maintain a list of third-party suppliers your business deals with on a yearly basis. This allows you to cross-reference potential compromises that could impact your organization. By doing so, you can mitigate the risks associated with supply chain disruptions, such as a critical part or service being affected by a ransomed business partner. It is also important to recognize that a third-party vendor could be used as a pivot into your organization, even if they're not a profitable target themselves.

The Bigger Picture

This incident is not isolated. The same broker is offering access to a Turkish motor vehicle manufacturing company for $300, indicating a pattern of targeting industrial and infrastructure entities across the region.

Conclusion

The ease with which access to a critical infrastructure company was sold on the dark web serves as a stark reminder of the ever-present threat of cyber attacks. The low barrier to entry, high-value target, and potential for cascading failures make this a cautionary tale that cannot be ignored.

It's clear that no organization is immune to the risks of cyber attacks. Even with a mature cybersecurity program, a single weak link can bring down the entire system. It's crucial that we remain vigilant and proactive in our approach to cybersecurity, recognizing that the threat landscape is constantly evolving.

By taking immediate action to review access, implement proper Identity Access Management, and foster open conversations with business teams, we can reduce the risk of unauthorized access and limit the damage in case of a breach. It's time for us to rethink our approach to cybersecurity and prioritize the protection of our critical infrastructure.

There is one class of people that we talk about that target civilian critical infrastructure, and we just call them assholes.

Rob Lee (CEO Dragos) S4x24 Main Stage Interview With Rob Lee