Pakistan International Airlines data breach underscores sharp rise in illicit sales of access credentials

Russian hackers have offered to sell access to the internal network and customer database of Pakistan International Airlines (PIA), according to Israeli firm KELA Targeted Cyber Intelligence,

Researchers at the firm said that cybercriminals advertised domain admin access to PIA’s internal network for $4,000, while its customer database was listed for $500. The airline has not acknowledged the breach incident yet.

The purported hacker posted the advert for initial network access to PIA’s systems on Russian and English dark web marketplace forums that KELA monitors. A week later, the airline’s customer database went up for sale. The hacker’s post in the forums stated that the database included customers’ full names, phone numbers and passport information.

Initial network access in such illicit deals refers to remote access to systems in a compromised organization, while those selling it are known as remote access brokers. Rather than hack their way into corporate networks, cybercriminals often purchase such initial network access to gain a foothold, allowing them to move laterally and expand their access rights.

While cyber threat researchers generally cannot know specifically how attackers entered a network unless the attacker shares the method, KELA threat intelligence analyst Victoria Kivilevich said that there have been instances where there was a direct connection mentioned.

For example, said Kivilevich, in August a US company appeared as a Sodinokibi ransomware victim in the Twitter account of a remote access broker known for his collaboration with the ransomware gang. “A few days later, the broker contacted KELA offering proof of a successful ransomware attack, and confirmed that it was breached through the Pulse Secure VPN access first.”

Illicit network access sales target Indian businesses 

Researchers at KELA have observed that initial network accesses are being sold in underground forums every day, and are becoming an initial entry point for ransomware operators. The company’s blog shows that 100 initial network accesses were put on sale by threat actors in September alone – that’s three times more than they observed in August.

What’s noteworthy is that the cumulative price requested for all these accesses exceeds $500,000. Of the accesses KELA found for sale, 23% were reported as sold for a total amount of nearly $90,000. The average price of the 108 network access listings tracked by Kela stood at $4,960.

The researchers have also found out that 50% of network access sales target just three countries: the US, Canada, and India. The recent onslaught of cyberattacks targeting Indian businesses such as BigBasket, Dr Reddy’s, Dr Lal PathLabs, Dunzo, Haldiram’s, Paytm Mall, and PM Modi’s website could be a consequence of such sales.