Researchers Uncover Data Leak Site Linked To Active Initial Access Broker

Researchers at ReliaQuest have found a new Tor-based data leak site called "ALP-001." The platform recently appeared on the dark web and claims to be a complete collection of data leaks and an access market. In today's world of threats, new extortion sites pop up all the time, but this one is different.

Threat intelligence analysts have linked the people behind ALP-001 to a well-known and highly active Initial Access Broker who works on underground criminal forums. This change in the group's operations shows that the threat actors are changing their strategy. They are no longer just selling initial network access; they are now directly extorting organizations that have been compromised.

Attack Vectors and Threat Evaluation The people who run the ALP-001 platform have shown that they have a clear and very effective plan for breaking into networks around the world. Their main method of attack is to make money off of hacked perimeter technology and remote access gateways. This group doesn't use complicated phishing schemes or social engineering; instead, they go after weak internet-facing infrastructure.

People who buy network access from them often use hacked File Transfer Protocol and Secure Shell servers. They also always take advantage of unpatched security holes or weak administrative passwords that come with enterprise-grade remote access solutions. Fortinet, Cisco, Citrix, Remote Desktop Web Access, and GlobalProtect are some of the companies whose products and services are included. By taking advantage of weaknesses in these important boundary defenses, the broker is able to quietly gain a foothold in valuable corporate environments.

Broker for Leak Site (Source: ReliaQuest) Defense Strategies That Work Organizations need to put a lot of effort into protecting their network perimeters and keeping an eye out for unauthorized internal access because this specific threat group actively sells valid remote access and administrative credentials. The first important step is to make the perimeter much stronger. Security teams need to quickly check and fix all edge devices, paying special attention to Fortinet, Cisco, and Citrix virtual private networks, firewalls, and remote desktop gateways.

To stop this group from using their favorite initial access methods, it's important to make sure that these internet-facing assets have the most recent firmware and security updates. Leak Site Tied Broker (Source: ReliaQuest) ReliaQuest's research shows that defenders should not only patch their systems regularly, but also look for signs of persistence in their environments.

This means always looking for strange administrative activity, remote sessions that aren't allowed, or changes to user privileges that weren't expected. Data extortion is a big part of the ALP-001 operation, so security staff need to keep an eye out for strange outbound data transfers, especially those that use protocols like File Transfer Protocol or Secure Copy Protocol. Finally, it is very important to have strict identity controls in place.

To stop this growing extortion group from using stolen credentials, organizations should require multi-factor authentication for all remote access points and do regular, thorough audits of privileged accounts.