SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Hooded figure dark room laptop digital network lines glowing padlock cyber threats
#
Firewalls
#
VPNs
#
Ransomware

Most cyber attack brokers sell admin access from USD $500

Wed, 13th Aug 2025
Author image
By Melvin Hipolito, Editor

New research into underground cybercrime markets shows that access brokers frequently sell deep, privileged entry points into corporate networks, with 71% of listings including administrator-level credentials and occasionally a bundle of multiple ways in.

According to the latest report analysing six months of intelligence from dark web forums, so-called initial access can be sold to cyber attackers for prices starting at just USD $500. Such sales offer attackers a low-cost way to gain entry to victim organisations and can accelerate the route to ransomware and other related incidents.

Access broker market

Researchers from Rapid7 monitored and evaluated hundreds of listings from Initial Access Brokers (IABs) on dark web platforms, including Exploit, XSS, and BreachForums. These IABs advertise access to compromised business networks across various industries and geographic regions.

The research, published in the Rapid7 Access Brokers Report, concluded that the nature of access on offer can signify severe intrusion rather than just a "foot in the door." Privileged credentials, which often include administrator rights, provide threat actors with more control over the targeted network from the outset.

"This report shows that initial access brokers aren't intent upon finding a single way into an organisation's network and then quickly exiting, they're making attempts to explore the networks they've infiltrated. And they're often succeeding," said Raj Samani, SVP and chief scientist at Rapid7. "In doing so, the IAB can offer buyers admin privileges, multiple access types, or both. By the time a threat actor logs in using the access and privileged credentials bought from a broker, a lot of the heavy lifting has already been done for them. Therefore, it's not about if you're exposed, but whether you can respond before the intrusion escalates."

The report found that more than 71% of access broker deals included some form of privileged access, while almost 10% bundled multiple access vectors or further administrative capabilities. Most listings were offered for less than USD $1,000, although the average asking price was a little over USD $2,700.

Access commonly took the form of Virtual Private Network (VPN), domain user, or Remote Desktop Protocol (RDP) credentials. These vectors were also among the most prevalent weaknesses identified in Rapid7's own incident response cases. The findings underscore the utility of such access for adversaries looking to quickly spread through networks or launch further attacks.

Impact on defenders

The prevalence of deeply compromised accesses increases the pressure on security teams, who are already facing high alert volumes, limited headcount, and rapidly changing attack methodologies. The report argues for unified approaches to exposure management and threat response, urging that they be integrated rather than siloed off from one another.

This approach is reflected in the company's own solutions, with its Incident Command product unifying areas such as prevention, threat intelligence, and automated response capabilities into a single workflow. Intelligence generated from the research is being actively integrated into detection and investigation processes for security teams to use directly.

Recommendations for organisations

The report also shares several mitigation measures intended to harden businesses against access broker activity. Key recommendations include enforcing multi-factor authentication (MFA) on critical remote access points such as VPN, RDP, and accounts used to manage essential infrastructure.

Other best practices outlined are ongoing investment in threat-informed detection and response systems, with an emphasis on platforms that can correlate different security signals for stronger defence. Regular red team testing, to identify risks such as unused accounts, default passwords, or publicly exposed RDP services, was also stressed as an important step for organisations seeking to reduce their exposure.

The findings reiterate Rapid7's view on the need for threat detection and exposure management to be fast, unified, and context-aware, with the report stating that operationalising intelligence, asset knowledge, and automation should be core components of security strategy.

Law enforcement activity targeting underground forums and access brokers continues, but the report notes that access brokers maintain a persistent presence as a threat to organisations internationally. The role of access brokers in facilitating attacks remains steady amid ongoing takedowns and disruptions.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Ping Identity launches platform to secure & manage AI agents
Gigamon unveils quantum-safe cryptography in GigaVUE update
Barracuda unveils AI assistant to boost security team efficiency
Fortinet reports strong Q3 revenue growth & SASE adoption surge
Seven critical ChatGPT flaws expose users to data theft risks

Top stories

Hexaware boosts cybersecurity with strategic CyberSolve acquisition
New Zealand’s tech exports hit NZD $20bn, led by ICT growth
New Zealand’s best in cybersecurity honoured at 2025 iSANZ Awards
Avanade unveils suite of Microsoft-powered tools for midmarket firms
Forrester predicts AI errors to cost B2B firms over USD $10 billion