TELUS Digital Pwned By Shiny Hunters

Posted in Commentary with tags , on March 13, 2026 by itnerd

Bleeping Computer is reporting that the notorious hacking group ShinyHunters has pwned TELUS Digital which provides outsourced business services. The data that TELUS Digital likely has a lot of sensitive info in its possession, it would be a big target for threat actors. .

Here’s what TELUS Digital said:

“TELUS Digital is investigating a cybersecurity incident involving unauthorized access to a limited number of our systems. Upon discovery, we took immediate steps to address the unauthorized activity and secure our systems against further intrusion. We are actively managing the situation and continue to monitor it closely,” Telus told BleepingComputer.

“All business operations within TELUS Digital remain fully operational, and there is no evidence of disruption to customer connectivity or services. As part of our response, we have engaged leading cyber forensics experts to support our investigation, and we are working with law enforcement. “

“We have implemented additional security measures to further safeguard our systems and environment. As our investigation progresses, we are notifying any impacted customers, as appropriate. The security of our customers’ information continues to be our highest priority.”

The thing is, today is March 13th. Bleeping Computer found out about this in January. And TELUS Digital didn’t respond to Bleeping Computer at that time. Read into that what you will. What worse is that ShinyHunters apparently demanded $65 million in ransom. TELUS clearly didn’t pay up, which by the way nobody should ever pay threat actors. So here we are talking about it.

Sucks to be TELUS Digital.

Forward Edge-AI Releases The Global PQC Implementation Playbook

Posted in Commentary with tags on March 12, 2026 by itnerd

Forward Edge-AI today announced the release of The Global PQC Implementation Playbook, a structured twelve-month roadmap designed to guide governments and enterprises through full-scale post-quantum cryptography (PQC) adoption.

The Playbook provides a phased implementation framework spanning governance formation, cryptographic asset inventory, proof-of-concept validation, AI-driven orchestration, workforce certification, production deployment, and continuous readiness auditing. It translates policy mandates into executable operational steps.

The release comes as international regulatory alignment accelerates. The European Union has established formal migration expectations beginning in 2026 under NIS2 and DORA, with enforcement mechanisms and financial penalties for non-compliance. The EU post-quantum roadmap and associated regulatory frameworks are publicly documented and continue to shape global migration timelines. The NIS2, DORA, and EU roadmap can be accessed here

The Playbook outlines seven sequential phases:

  1. Governance & Strategic Planning: Establishes national or enterprise-level PQC oversight structures aligned with digital trust policies.
  2. Cryptographic Asset Inventory: Uses structured assessment to map RSA, ECC, and legacy dependencies across critical systems.
  3. Proof of Concept (PoC) Demonstration: Deploys Isidore Quantum? or comparable programs devices in controlled environments to validate integration, performance, and uptime.
  4. Cassian or comparable programs Orchestration Enablement: Implements AI-driven fleet management for automated key generation, rekeying, and zeroization.
  5. Workforce Training & Capability Building: Certifies personnel on PQC operations, AI-assisted management, and compliance tracking.
  6. Full Production Deployment: Transitions prioritized infrastructure to quantum-safe cryptographic states.
  7. Continuous Monitoring & Readiness Auditing: Maintains long-term readiness through AI-driven monitoring, quarterly assessments, and compliance reporting.

The Playbook aligns with established governance and risk frameworks, including Quantum Readiness Index (QRI) domains and CSA 2025 standards, enabling organizations to demonstrate measurable quantum resilience at each stage of adoption.

Designed for government agencies, defense ministries, critical infrastructure operators, financial institutions, and multinational enterprises, The Global PQC Implementation Playbook provides a repeatable model for operationalizing quantum-safe migration without disrupting active systems.

A link to the full Playbook is available here: The Global PQC Implementation Playbook

The CISA orders agencies to patch actively exploited n8n vulnerability which enables server takeover

Posted in Commentary with tags on March 12, 2026 by itnerd

The CISA has ordered federal agencies to patch a remote code execution vulnerability in the n8n workflow automation platform that could allow attackers to steal stored credentials such as API keys, OAuth tokens, and passwords, or pivot into connected systems that rely on the automation platform.

Security researchers found that multiple vulnerabilities in n8n could allow attackers to execute commands on vulnerable systems, escape sandbox protections, and potentially take full control of affected servers. One flaw involves an expression injection vulnerability that allows attackers to submit malicious input that is evaluated by the platform, while a second issue can be chained to bypass sandbox protections and execute commands directly on the host system.

Because n8n often stores credentials used to connect to external services and infrastructure, researchers warned that a compromised instance could expose multiple integrated systems and sensitive data across an organization’s environment.

n8n has more than 50,000 weekly npm downloads and over 100 million Docker pulls.

John Carberry, Solution Sleuth, Xcape, Inc.:

   “Federal agencies are racing to patch n8n workflow automation servers following a CISA directive targeting an actively exploited expression injection vulnerability. Despite previous security updates, researchers discovered multiple bypasses (CVE-2026-25049 and CVE-2026-27577) that allow attackers to escape the platform’s sandbox and execute arbitrary code on the host system. This cycle of incomplete patching is particularly dangerous for automation tools that serve as a central repository for sensitive API keys and OAuth tokens across the Enterprise.

   “For security professionals, this highlights the fragility of relying on software-defined sandboxes when the underlying application logic remains inherently permissive. Defenders must prioritize immediate updates to version 1.76.3 or later and audit all connected service credentials for signs of lateral movement. We need to stop treating sandbox escapes as isolated bugs and recognize them as fundamental design failures that require more than a quick syntax fix.

   “Patching a sandbox escape with a regex filter is like trying to fix a leaky dam with a Post-it note.”

Denis Calderone, CTO, Suzu Labs:

   “n8n is under sustained assault from multiple angles right now, and CISA just confirmed this latest one is being actively exploited. We’ve seen four critical RCE vulnerabilities in just the last three months, and an active supply chain attack to boot.

   “At its core, n8n is a credential vault. It stores API keys, OAuth tokens, database passwords, cloud storage credentials for every service it connects to, and it connects to a lot of services. Compromise one n8n instance and you don’t just own the automation platform, you get the keys to every system it touches. Numerous vulnerabilities from VMware to Cisco to n8n have been bringing to light the inherited trust problem once again. The underlying issue here is that your management and orchestration tools carry the deepest trust in your environment, and attackers know it.

   “What makes this one particularly concerning is the attack surface. Shadowserver is tracking over 40,000 unpatched instances still sitting on the open internet, and researchers identified more than 100,000 potentially vulnerable deployments globally. The patch has been available since December. That’s three months of exposure while these things are being actively exploited, and exploitation apparently spiked over the Christmas holiday when teams were thin.

   “If you’re running n8n, patch immediately, audit what credentials are stored in it, and restrict who can create or edit workflows. Yes, n8n needs internet-facing endpoints for webhooks and forms, but that doesn’t mean the management interface and credential store should be exposed along with them. Separate your webhook endpoints from your admin panel, and put the editor behind a VPN or proper access controls.”

Vishal Agarwal, CTO, Averlon:

   “Automation platforms like n8n often sit in the middle of many internal systems and services, storing the API keys, tokens, and credentials needed to connect them. When vulnerabilities appear in these platforms, the real risk isn’t just the initial compromise. It’s the blast radius: what those stored credentials allow an attacker to reach next, and how far that reach extends across connected systems.

   “Even if the initial access comes from a regular user account, these vulnerabilities can expose much more powerful credentials stored within the platform. Organizations should not only patch quickly but also map the pathways those credentials create across their environment.”

I am glad that the CISA is around because it forces organizations to take cybersecurity seriously. Of course organizations have to take cybersecurity seriously. But that’s another story.

There Is A Deepfake Attack Every 5 Minutes Says Unidata

Posted in Commentary with tags on March 12, 2026 by itnerd

Deepfake fraud incidents jumped 257% in 2024 alone. In Q1 2025, more deepfake incidents were recorded than in all of 2024 combined. A deepfake attempt now hits an identity verification system every five minutes.

This is why iBeta Level 3 was launched in mid-2025 — the most demanding face anti-spoofing certification ever created.

Here’s what makes it unlike anything before:

  • Attackers get up to 7 days and unlimited budget to defeat your system
  • Hyper-realistic silicone masks built by professional special-effects artists
  • Deepfakes engineered to blink, smile, and respond to liveness prompts on command
  • Only systems blocking 95%+ of attacks pass — no exceptions

For context: Level 1 testers spend $30 and 8 hours. Level 3 has no cost ceiling.

The financial stakes are real: generative AI fraud losses are projected to hit $40 billion in the US by 2027. Deepfakes already account for 40% of all biometric fraud attempts. The tools to create them are cheap, accessible, and getting better every month.

They have published a detailed breakdown of what Level 3 actually tests, how it compares to previous standards, what vendors keep getting wrong before certification, and — perhaps most overlooked — why children’s biometrics remains a dangerous blind spot with no official testing track.

Full article: https://unidata.pro/blog/ibeta-level-3-new-standards/ 

University of Mississippi Medical Center Hack Claimed by Medusa

Posted in Commentary with tags on March 12, 2026 by itnerd

A ransomware group called Medusa today took credit for last month’s cyber attack on the University of Mississippi Medical Center.

UMMC shut down its clinics and cancelled appointments from February 19 to March 2, 2026 to contain the attack. The medical center lost access to phone lines, email, and patient records. 

Commenting on this news is Rebecca Moody, Head of Data Research at Comparitech: 

“The fact that Medusa has now added UMMC to its data leak site suggests a ransom hasn’t been paid — for the data at least. And its demand of $800,000, which is double the average across its other confirmed healthcare attacks from this group, could be for a number of reasons. It may be because Medusa believes the data it’s stolen from UMMC is of a higher value than others, or it could be because of how much publicity the attack has received. 

Whatever the reasoning for the high ransom and whatever the data is that has potentially been stolen, UMMC needs to provide patients and employees with an update as soon as possible. According to our data, the average breach on a healthcare provider following an attack via Medusa involves 195,000 records, which is a significant figure. Understandably, it takes organizations a long time to analyze the breached data and identify everyone who’s been affected (Bell Ambulance is a prime example with its recent increase in those affected from 114,000 to nearly 238,000), but if all employees and patients are aware of a potential data breach from the offset, it helps them mitigate the risks involved with a data leak. 

Anyone whose data is associated with UMMC should start monitoring their accounts for any unauthorized activity and should be on high alert for any potential phishing campaigns, especially those purporting to be from UMMC.”

Once again, healthcare is the target for threat actors. At this point this is not new information. The problem is that this keeps happening. And this needs to stop ASAP as attacks on the healthcare sector are out of control.

BlackSanta malware campaign targets HR departments with EDR-killing payload 

Posted in Commentary with tags on March 12, 2026 by itnerd

Researchers at Aryaka have identified a year-long cyber campaign with attackers sending messages containing links to files disguised as job applications or resumes to corporate HR departments that injects malware, dubbed BlackSanta, designed to disable security tools before stealing data.

The attack typically starts with victims downloading an ISO file hosted on cloud storage services, which contains seemingly legitimate documents and scripts. When opened, the file executes commands that download additional payloads and deploy the BlackSanta malware. The module functions as an “EDR killer,” disabling antivirus and endpoint detection and response tools at the kernel level, allowing attackers to operate on compromised systems with minimal resistance.

Once security controls are disabled, the malware can perform system reconnaissance, harvest credentials, and exfiltrate sensitive data from the compromised network. Researchers say the campaign specifically targets HR workflows because recruitment staff routinely open files from external applicants and may not scrutinize attachments as closely as security or IT teams, making them a practical entry point into enterprise environments.

Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:

   “HR is a very practical point of entry. This has been a common attack path for a long time, so much so that fake resumes and job applications are taught as phishing lures because they work. HR staff are constantly interacting with unknown external people, opening files, and following up on inbound submissions as part of normal business, which makes them much easier to target than users in IT or finance, who are usually more security conscious and more conditioned to be suspicious.

   “A foothold is a foothold. Attackers do not need to land on the most privileged user first if they can compromise a softer target, establish access, and move laterally from there. HR is attractive because it combines lower resistance with real value. Even if it does not always have the same technical access as IT or the same direct financial access as finance, it often holds a broad set of personal information on both employees and applicants. That data can be stolen, resold, reused in future phishing and social engineering, or leveraged for broader fraud and identity theft.

   “This is not some new or surprising attack path. Most of the tradecraft involved is well known and has become fairly standard across the criminal ecosystem. Using an ISO to get past boundary level detections is a common technique, and the layered execution and EDR tampering here are a good example of how capabilities that once felt more specialized have become easier to obtain and reuse.

   “That broader commercialization matters. Advanced tooling, stolen information, and even direct access are now routinely bought, sold, shared, and reused, which keeps lowering the barrier to entry.”

Rajeev Raghunarayan, Head of GTM, Averlon:

   “The bigger risk isn’t the initial HR compromise. It’s what those compromised credentials or systems can reach. In many environments, HR processes intersect with identity and access workflows, which means an initial foothold can potentially lead to broader access across the organization if permissions and controls are not tightly managed.

   “Many environments still have overly broad permissions that allow attackers to move laterally once they gain a foothold. Organizations need to understand how identities and privileges become part of attack chains, not just focus on the endpoint where the malware first lands.”

Noelle Murata, Sr. Security Engineer, Xcape, Inc.:

   “The BlackSanta campaign utilizes malicious ISO files disguised as job applications to deliver a specialized “EDR killer” payload to corporate targets. This malware operates at the kernel level to systematically disable antivirus and endpoint detection tools, effectively blinding security operations centers before data exfiltration begins.

   “For security professionals, this represents a critical escalation in the arms race between attackers and defensive telemetry. When an adversary can reliably neuter the primary visibility tool of the modern enterprise, the entire incident response playbook is rendered obsolete. While HR departments remain a vulnerable entry point due to their operational need to open external files, the true threat lies in the sophisticated ability of this malware to achieve total silence on the host.

   “Defenders must pivot toward a defense-in-depth strategy that includes robust application control and the enforcement of “least privilege” for kernel-level drivers. Implementing hardware-backed security features and isolated environments for processing untrusted external documents can help mitigate the risk when endpoint agents are compromised.

   “If the EDR can’t see the fire, the whole building burns down before the first alarm sounds.”

This is a scary one as this attack kills the canary in the coal mine so there are no warnings. Thus it’s a good time to look at what you can do to make this less of a threat.

Guest Post: Pro-Iranian Hackers Are Ramping Up Attacks – and Cyberwar Is Spilling into Everyday Life

Posted in Commentary with tags on March 12, 2026 by itnerd

By Stefanie Schappert

From hospital supply chains to payment networks, the latest Iran-linked cyber threats show how geopolitical retaliation can disrupt the companies and services people depend on every day.

Verifone and Stryker Bring Cyberwar Closer to Home

Verifone and Stryker are the clearest signs yet that cyberwar is no longer confined to government agencies or military systems.

In less than a day on Wednesday, the Iran-linked hacktivist group Handala claimed attacks on both companies – Verifone, a major payments provider with strong ties to Israel, and Stryker, one of the biggest medical technology firms in the US.

In Stryker’s case, the fallout appeared far bigger than ordinary corporate IT downtime.

The group claimed it wiped more than 200,000 systems, servers, and mobile devices and stole 50TB of data. It also said the attack forced shutdowns across Stryker offices in 79 countries, though Stryker says it operates in 61 countries and impacts more than 150 million patients annually.

What’s more, more than 5,000 workers at Stryker’s Ireland hub were reportedly sent home, while healthcare providers in the US struggled to order surgical supplies through the company, according to KrebsOnSecurity. 

AOL reported that the disruption also affected Lifenet, a platform used by emergency responders to send patient data to hospitals.

That is what makes this story more than another burst of geopolitical cyber noise – it shows how retaliation abroad can hit the companies and systems ordinary people rely on every day.

Iran-Linked Threats Are Already Multiplying Online

The threat is not limited to one or two headline-grabbing incidents. In an early March advisory, Sophos warned that likely tactics could include website defacements, DDoS attacks, ransomware, destructive wipers, hack-and-leak operations, phishing, and password spraying.

Researchers also say the infrastructure for the next wave may already be in place. ThreatLabz identified more than 8,000 newly registered domains tied to the Middle East conflict, warning that many may still be “weaponized or used in threat campaigns in the near future.”

The lures include fake news blogs, conflict-themed malware files, and other content designed to exploit panic and curiosity while tensions remain high.

At the same time, more sophisticated Iranian-linked operators do not appear to be starting from scratch.

In my recent Cybernews reporting on Seedworm, the Iran-backed espionage group was found maintaining access to multiple organizations since early February – before the current escalation became front-page news – with targets spanning banking, aviation, technology, and nonprofit organizations.

The Easiest Way in Is Still Human Error

Cyberwar is no longer a niche story about espionage and classified systems, but has moved into the mainstream.

US cyber agencies warned last June (after the US bombed Iran’s nuclear facilities), that Iranian cyber actors often exploit familiar weaknesses – including unpatched software, known vulnerabilities, and default or commonly used passwords on internet-connected accounts and devices.

Those risks are also getting easier to scale. 

CrowdStrike’s latest threat reporting says AI is “scaling attacks and lowering barriers to entry,” turning it into both a force multiplier for cyberattacks and a new attack surface.

AI is allowing threat groups to move faster, generate more convincing phishing lures, and automate more of the attack chain than many defenders are prepared for.

We have seen this playbook before. Russia’s GRU-linked Sandworm hackers were blamed for disruptive attacks on Ukraine’s power grid, including a 2022 incident that researchers said coincided with missile strikes and triggered power cuts.

And after the October 7 attacks, US agencies warned that Iran-linked actors had targeted US water and wastewater facilities by exploiting Unitronics PLCs used in industrial control systems.

All because the PLCs were Israeli-made – once again, proving how quickly geopolitical cyber retaliation can move from symbolism to systems that touch everyday life.

For organizations, that means patching faster, locking down internet-facing devices, turning on MFA, and training employees on the latest phishing lures.

For everyone else, it is a reminder that human error is still one of the easiest ways in – and that the next disruption may hit not a government target, but the companies people depend on without thinking twice.

ABOUT THE AUTHOR

Stefanie Schappert, a senior journalist at Cybernews, is an accomplished writer with an M.S. in cybersecurity, immersed in the security world since 2019.  She has a decade-plus experience in America’s #1 news market working for Fox News, Gannett, Blaze Media, Verizon Fios1, and NY1 News.  With a strong focus on national security, data breaches, trending threats, hacker groups, global issues, and women in tech, she is also a commentator for live panels, podcasts, radio, and TV. Earned the ISC2 Certified in Cybersecurity (CC) certification as part of the initial CC pilot program, participated in numerous Capture-the-Flag (CTF) competitions, and took 3rd place in Temple University’s International Social Engineering Pen Testing Competition, sponsored by Google.  Member of Women’s Society of Cyberjutsu (WSC), Upsilon Pi Epsilon (UPE) International Honor Society for Computing and Information Disciplines.

Cybernews is a globally recognized independent media outlet where journalists and security experts debunk cyber by research, testing, and data. Founded in 2019 in response to rising concerns about online security, the site covers breaking news, conducts original investigations, and offers unique perspectives on the evolving digital security landscape. Through white-hat investigative techniques, Cybernews research team identifies and safely discloses cybersecurity threats and vulnerabilities, while the editorial team provides cybersecurity-related news, analysis, and opinions by industry insiders with complete independence. For more, visit www.cybernews.com.

Samsung’s New Offerings Are Now Available For Purchase

Posted in Commentary with tags on March 12, 2026 by itnerd

Following the recent unveiling at Unpacked, Samsung’s newest Galaxy devices are now officially available in stores and online across Canada

The new Samsung Galaxy S26 Series, including the Galaxy S26, S26+, and S26 Ultra, brings next-generation performance, AI-powered experiences, and enhanced camera capabilities to Samsung’s flagship lineup. Joining the launch is the Samsung Galaxy Buds4 Series and the new Samsung Galaxy Book6 Series, expanding the Galaxy ecosystem with upgraded audio and AI-powered productivity. 

For more information about the Galaxy S26 series and and the other products that are now available, please visit Samsung Canada.

Stryker Pwned By Iran Backed Hackers

Posted in Commentary with tags on March 12, 2026 by itnerd

US medical company, Stryker, has been pwned in a cyber attack by Iran-backed cybercriminals. Here’s some details on this attack:

Stryker is a Fortune 500 company that specializes in the manufacturing of surgical equipment, orthopedic implants, and neurotechnology. Headquartered in Michigan, the company employs approximately 56,000 people and reported over $25 billion in revenue for 2025. Its critical role in the healthcare supply chain makes it an essential partner for hospitals worldwide.

The Iran-linked hacker group named Handala has taken credit for the attack, claiming to have struck an “unprecedented blow” to the company.

The hackers claim to have wiped more than 200,000 servers, mobile devices, and other systems, forcing Stryker to shut down offices in 79 countries. They also allegedly stole 50TB of data from the company’s systems. 

Handala has been highly active since the start of the US-Israel-Iran conflict.

Lee Sult, Chief Investigator, Binalyze had this to say:

“The Stryker attack looks to be the first drop of blood in the water as a result of nation-state and hacktivist activity off the back of the Iran conflict. This attack confirms Western organizations are not only in the adversary’s crosshairs, but the adversary can also make the shot. More shots are coming.

“An attack like this is about damage and spreading chaos. Handala is using a scorched earth approach, they get in fast, wipe devices, steal data, and leave chaos behind them. Thousands of employees locked out of devices isn’t just an operational crisis. It quickly becomes a financial, reputational, and potentially life-and-property risk. 

“Speed is everything when attacks like this happen. Investigation can’t be an afterthought, organizations need to know if the attackers are still inside systems, which systems are impact, and how the attackers got in. The faster those questions are answered, the faster you can begin recovery.

“Stryker could be the first in a wave of attacks. Cyber assets friendly to the Iranian regime have regrouped and are actively circling their next target sets. Organizations need to be monitoring for IOCs linked to Iran-backed campaigns – including those seen in Operation Olalampo and APT35. But it’s also about reinforcing the basics: software needs to be patched, phishing-resistant MFA enabled, and having a clear plan to isolate devices and systems when suspicious activity arises. In firefighting terms, it’s time to cancel vacations and pre-stage your fire companies near critical assets.”

The age of hybrid warfare has clearly begun. That means that every single one of us needs to re-evaluate how secure we are and take the steps required to make sure that it is as hard as possible for a threat actor to pwn you. Given the state of the world at the moment, this isn’t optional anymore.

UPDATE: Ensar Seker, CISO at SOCRadar, has provided the following commentary: 

“Claims like wiping 200,000 devices and extracting tens of terabytes of data should be treated cautiously until independently verified. Hacktivist groups often exaggerate operational impact for psychological effect. However, even if the scale is smaller than claimed, a wiper-style attack against a global medical technology company is serious because it targets operational continuity rather than just data theft. In the healthcare ecosystem, outages affecting device manufacturers or support systems can ripple across hospitals, supply chains, and patient care environments.

What makes this incident notable is the alleged use of enterprise management infrastructure to execute a destructive campaign. If attackers gained access to tools such as mobile device or endpoint management platforms, they could push destructive commands at scale across thousands of systems almost instantly. That shifts the attack from traditional ransomware or espionage into a coordinated operational disruption, which is consistent with the tactics we increasingly see in geopolitically motivated hacktivism tied to regional conflicts.

Groups like Handala represent the blurred line between hacktivism, state alignment, and information operations. Many of these actors position themselves as ideological collectives, but their campaigns often align with broader geopolitical narratives. Targeting a global medical technology provider may be intended less as a financially motivated attack and more as a symbolic demonstration that Western critical industries can be disrupted during geopolitical tensions.

Organizations should take this as a reminder that destructive cyber operations are no longer limited to nation-state military targets. Companies in healthcare, manufacturing, and critical supply chains should prioritize stronger identity security around administrative tools, strict segmentation of device-management platforms, and continuous monitoring for anomalous mass actions such as remote wipes or bulk configuration pushes. In many modern attacks, the damage is done not through sophisticated malware but through the abuse of legitimate enterprise management capabilities.”

Cybercriminals now sell corporate network access for as little as $500

Posted in Commentary with tags on March 12, 2026 by itnerd

A new threat intelligence report from the Abstract’s Threat Research Organization (ASTRO) will reveal that the cybercrime economy has industrialized network breaches with specialized criminals now selling pre-compromised access to corporate networks for as little as $500.

Abstract’s report, “Priced to Move: The Underground Markets of Modern Cyberattacks,” examines the rapidly growing ecosystem of Initial Access Brokers (IABs): attackers who break into organizations and then sell that access to ransomware gangs and other threat actors.

Key findings from the research include:

  1. Credential abuse is now the dominant entry point. 56% of incidents involved valid accounts without MFA.
  2. Ransomware attacks surged 47% year over year, fueled by the growth of this underground access market.
  3. Network access often sells for $500–$1,000, allowing attackers to target dozens of organizations simultaneously.
  4. Median time from initial compromise to ransomware deployment has dropped to just five days.
  5. Healthcare, government, and education are among the sectors seeing the fastest growth in IAB-driven attacks.

The economics are striking. The report details a healthcare breach where $2,200 worth of purchased access ultimately resulted in nearly $4 million in damage, a roughly 1,700x return on investment for attackers.

ASTRO says the rise of access brokers has fundamentally changed how cybercrime operates…turning network intrusions into a specialized supply chain where one group gains access, another sells it, and ransomware gangs monetize it.

You can read the research here:https://abstract.security/reports/priced-to-move