SAN FRANCISCO — They don’t steal your data. They sell access to it.Initial Access Brokers — known as IABs — have become one of cybersecurity’s most dangerous and underestimated players. These dark web middlemen specialize in breaking into networks, then monetizing that access by selling it to the highest bidder: ransomware crews, state-aligned attackers or fraud cartels.Their product? Your identity infrastructure.At RSAC 2025, Amit Weigman, head of solution engineering at Cyberint (a Check Point company), took attendees down a rabbit hole into the IAB ecosystem. His talk peeled back the layers on the underground IAB industry. He warned it is growing smarter, faster and more structured by the month. He said that Identity Access Management (IAM) professionals need to put them squarely in their sights.
(For Complete Live RSAC 2025 Coverage by SC Media Visit SCWorld.com/RSAC)Weigman stressed that IAB thrive because too many companies still treat identity security as optional. It’s frustrating, he said, after all these years, companies still skip, delay or don’t fully implement a basic protection like multi-factor authentication.“Then you see a breach, and then you find out [the target] didn’t deploy multi-factor authentication on their firewall or SSL VPN (Secure Sockets Layer Virtual Private Network),” he said. “Yeah. You’re asking for it.”
Subcontractors of cybercrime
IABs are specialists. Their job isn’t to launch ransomware or steal data. Their job is to quietly break in — gain stealthy access to a corporate network, grab credentials, map out weaknesses and move laterally within a company network. Next, then hand off that access to someone else.
Top Targeted Industries by IABs
.
Weigman compares them to the subcontractors of cybercrime. A decade ago, ransomware crews did everything themselves: infiltration, encryption, extortion, he noted. Today’s cyber syndicate operations are modular. The heavy lifting at the front end has been outsourced to IABs.According to Weigman’s data, RDP was the most common access type sold in 2024, followed by VPN and shell access. Web shell scripts provide a backdoor to attackers allowing them to remotely access a vulnerable server.But Weigman said his largest concern facilitating break-ins is misconfigured identity tools — especially SAML (Security Assertion Markup Language). These are becoming a critical weak point, he said.SAML is a widely used protocol that allows users to log into multiple applications using a single identity. But when SAML settings are misaligned or left unmonitored, attackers can exploit it to impersonate users and slip past MFA controls undetected. Several recent listings, Weigman noted, offered access based entirely on stolen or manipulated SAML tokens.Even more troubling, some listings mention post-compromise persistence methods that abuse SAML misconfigurations to maintain long-term access — without triggering alerts.
Marketplace of misery
Last year the average price for a compromised network listing was $6,630, with the median price at $900.Prices reflect access type and privilege level. Remote Desktop Protocol (RDP) and VPN remain the most popular — and most frequently abused — vectors. Access that includes domain admin rights, mapped hosts, or endpoint protection workarounds fetch a premium. At the high end, some listings connected to billion-dollar firms reached well into five-figure territory.
Top Security Products on Compromised Machines
.
Lower-cost access is often tied to small and medium-sized businesses. That includes firms in construction, education, healthcare and manufacturing. One U.S. construction firm was listed for $1,200. The access bundle included VPN credentials, a mapped internal network, and hints for bypassing endpoint defenses.Top countries targeted? You guessed it, U.S. businesses followed by Brazil and France. Top security products on compromised machines: Windows Defender, SentinelOne, Sophos then ESET.
Who's behind the keyboard
Several brokers mentioned in the session stood out. One in particular, Miyako, operates with possible ties to East Asian cybercriminal forums and state-linked interests.
Financially motivated & Nation-state-level broker
.
Miyako is known for targeting critical infrastructure, including telecom, energy and government systems. In one case, the group exploited a critical vulnerability (CVE-2022-1388) in an F5 BIG-IP device weeks before launching a ransomware attack. That calculated lead time, he said, reflects a larger trend. “Today’s most successful brokers aren’t rushing. They’re planning.”Weigman pointed to a recent case where RADAR, a known IAB, listed RDP access to a Swiss company for sale in mid-October. Just over a month later, that same company appeared on RansomHub’s leak site. It was a clear handoff — from broker to attacker to public breach.Some IABs operate as part of affiliate programs or underground syndicates. These groups sell access to ransomware operators like RansomHub, Medusa, or 8Base, often on a revenue-sharing basis. Others work solo, hawking access on forums like XSS[.]IS or closed invite-only Telegram channels.While some brokers are clearly financially motivated, others show signs of geopolitical intent, aligning with national interests or working in parallel with state-backed groups — especially in Russia, China and Iran.
Flip the script
Advice for defenders? Assess your own environment. “Map your access and think like a broker would,” he said. That means creating an Access Asset Register — a complete inventory of entry points. Include everything: RDP, VPN, Citrix, cloud consoles, SSH, and SSO gateways. Rank them by exposure and privilege level.Next, layer on identity hygiene by disabling stale accounts, restrict domain admin rights, and regularly audit group policies. Check for overly permissive access rules and dormant accounts that are still hooked into third-party apps.Also watch for vulnerable authentication pathways. Misconfigurations in SAML or OAuth can be a backdoor that doesn’t set off alarms.
Watching the marketplace: Before you’re in it
Weigman emphasized the importance of monitoring access markets in real time. Forums like XSS[.]IS, Ramp[.]io, Exploit[.]in, and BreachForums are where much of the early activity happens. That includes access listings, credential dumps, proof-of-access screenshots, and negotiations with buyers. But tracking those channels isn’t easy.These platforms are semi-private, often Russian-language, and designed to keep out casual observers. Registration typically requires an invite, reputation score, or payment in cryptocurrency. Some brokers operate exclusively through encrypted messaging apps like Telegram, TOX, or Jabber, where invites come only via referral or trust circles.To monitor effectively, companies need to foster:
Threat intelligence partnerships with vendors who specialize in underground monitoring.
Access to tools that scrape, translate, and analyze dark web content.
A cross-functional team that includes identity experts, fraud analysts, and incident responders.
Contextual understanding: Is the listing credible? Is it your company or a lookalike? Is it recycled from an old breach?
All IABs needs is one credential, one misconfigured VPN, one forgotten remote access point. It’s their job to find it, and they do.(For Complete Live RSAC 2025 Coverage by SC Media Visit SCWorld.com/RSAC)
Tom Spring is Editorial Director for SC Media and is based in Boston, MA. For two decades he has worked at national publications in the leadership roles of publisher at Threatpost, executive news editor PCWorld/Macworld and technical editor at CRN. He is a seasoned cybersecurity reporter, editor and storyteller that aims always for truth and clarity.
Static LFR involves temporarily mounting cameras on infrastructure like lampposts, with remote monitoring and officers on the ground identifying individuals matched against a watchlist.
