The trove of 1.3 million RDP credentials leaked recently is yet again proof that, In the underground economy, initial access brokerage is a flourishing market. Cybercriminals are outsourcing the initial access stage of the attack, so they can better focus on the execution and act more quickly.
There is a wide availability of compromised credentials (such as RDP and VPN logins) on the black market: the overnight shift to remote work has led many organizations to publish their internal services without an adequate level of protection (such as multi-factor authentication or a password change policy) exposing them to brute-force or password-spraying attacks. To make matters worse, a perfect storm has hit multiple remote access technologies and on-prem services, including Exchange email servers, which have suffered an unprecedented wave of critical vulnerabilities immediately exploited by attackers. Ironically, those systems that were meant to support organizations the most during the pandemic, have become the entry points.
This is a concrete risk for organizations exposed to ransomware attacks