Executive Summary
In May 2023, law enforcement identified Feras Khalil Ahmad Albashiti—a Jordanian national—operating as an initial access broker, selling unauthorized access to over 50 corporate networks via an underground cybercrime forum. Acting under the handle "r1z," Albashiti exchanged credentials for cryptocurrency on at least one occasion with an undercover officer, exposing illicit sales tied to fraud and abuse of privileged network access. Arrested in Georgia and extradited to the US in July 2024, he pleaded guilty to charges of fraud involving access credentials. Sentencing is scheduled for May 2026, with potential penalties of up to 10 years imprisonment and substantial fines.
This case highlights the increasingly organized role of initial access brokers in cybercrime, where privileged access is sold to facilitate ransomware, espionage, and data theft. The incident underscores ongoing risks posed by the thriving market for stolen credentials used to compromise enterprise environments.
Why This Matters Now
Initial access brokers remain critical to the cybercrime ecosystem, enabling rapid penetration of organizational networks by ransomware groups and other threat actors. The exposure and prosecution of such brokers signal law enforcement’s increased scrutiny, but the market for stolen credentials and network access continues to fuel high-impact attacks, making robust identity and access management an urgent priority.
Attack Path Analysis
The attacker gained initial access by obtaining and selling corporate credentials, which allowed authenticated entry into victim networks. Upon access, the attacker (or their buyers) potentially escalated privileges to access sensitive areas. Lateral movement enabled further infiltration of internal systems, often traversing regions or workloads. Persistent command and control channels were established to maintain remote access and coordinate with buyers. Data was likely exfiltrated to external destinations or staging areas for sale. Ultimately, the impact varied by buyer, but typically involved data theft or enabling follow-on attacks such as ransomware or extortion.
Kill Chain Progression
Initial Compromise
Description
Adversary gained entry via stolen or purchased credentials that allowed network authentication.
Related CVEs
CVE-2025-31324
CVSS 10An unrestricted file upload vulnerability in SAP NetWeaver allows unauthenticated attackers to upload malicious binaries, leading to remote code execution.
Affected Products:
SAP NetWeaver – All versions prior to April 2025 patch
Exploit Status:
exploited in the wildCVE-2024-1708
CVSS 9.8A path traversal vulnerability in ConnectWise ScreenConnect allows attackers to reset administrative credentials and gain unauthorized access.
Affected Products:
ConnectWise ScreenConnect – All versions prior to January 2024 patch
Exploit Status:
exploited in the wildCVE-2024-1709
CVSS 9.8An authentication bypass vulnerability in ConnectWise ScreenConnect allows attackers to reset administrative credentials and gain unauthorized access.
Affected Products:
ConnectWise ScreenConnect – All versions prior to January 2024 patch
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
These techniques reflect common initial access broker tradecraft and are aligned for security program SEO and mapping. Full STIX/TAXII enrichment may be appended for deeper analysis.
Valid Accounts
Gather Victim Identity Information
Compromise Accounts
Obtain Capabilities: Tool
Windows Management Instrumentation
Command and Scripting Interpreter
Indicator Removal on Host: File Deletion
Phishing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9(2)
CISA Zero Trust Maturity Model 2.0 – Identity Management and Access Control
Control ID: Identity Pillar, Maturity Level: Initial
NIS2 Directive – Access Control Policies
Control ID: Article 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Initial access brokers targeting 50+ corporate networks pose severe threats requiring enhanced egress security, zero trust segmentation, and anomaly detection capabilities.
Information Technology/IT
IT infrastructure companies face heightened risks from credential-based attacks, necessitating multicloud visibility, encrypted traffic protection, and kubernetes security enforcement measures.
Health Care / Life Sciences
Healthcare networks vulnerable to initial access broker attacks require HIPAA-compliant east-west traffic security, threat detection systems, and secure hybrid connectivity solutions.
Computer Software/Engineering
Software companies targeted by access brokers need comprehensive cloud firewall protection, inline IPS capabilities, and cloud native security fabric implementations.
Sources
- Jordanian pleads guilty to selling access to 50 corporate networkshttps://www.bleepingcomputer.com/news/security/jordanian-pleads-guilty-to-selling-access-to-50-corporate-networks/Verified
- Jordanian Man Admits Selling Unauthorized Access to Computer Networks of 50 Companieshttps://www.justice.gov/usao-nj/pr/jordanian-man-admits-selling-unauthorized-access-computer-networks-50-companiesVerified
- Jordanian initial access broker pleads guilty to helping target 50 companieshttps://therecord.media/guilty-plea-initial-access-broker-r1zVerified
- SAP Zero-Day Possibly Exploited by Initial Access Brokerhttps://www.securityweek.com/sap-zero-day-possibly-exploited-by-initial-access-broker/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust and CNSF controls such as network segmentation, east-west traffic security, egress policy enforcement, and multi-cloud visibility would have limited unauthorized credential use, lateral movement, data exfiltration, and persistent attacker presence. Implementing layered security with encryption, microsegmentation, and threat detection could have greatly constrained the kill chain progression.
Control: Zero Trust Segmentation
Mitigation: Limits initial access scope and blocks unauthorized resource interaction.
Control: Cloud Native Security Fabric (CNSF) & Threat Detection & Anomaly Response
Mitigation: Detects unusual privilege changes and enforces policy boundaries.
Control: East-West Traffic Security
Mitigation: Prevents unauthorized lateral network movement.
Control: Cloud Firewall (ACF) & Threat Detection & Anomaly Response
Mitigation: Detects and blocks suspicious outbound channels to C2 infrastructure.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized data egress to unapproved destinations.
Accelerates detection and response to minimize operational impact.
Impact at a Glance
Affected Business Functions
- Network Security
- Data Integrity
- Operational Continuity
Estimated downtime: 5 days
Estimated loss: $500,000
Unauthorized access to sensitive corporate data, including intellectual property and customer information, leading to potential data breaches and regulatory penalties.
Recommended Actions
Key Takeaways & Next Steps
- • Implement identity-based Zero Trust Segmentation to tightly constrain user and workload access paths.
- • Deploy east-west traffic security controls to prevent lateral movement across workload clusters and cloud regions.
- • Enforce strict egress policies and encrypted data-in-transit controls to block unauthorized outbound data flows and C2 activity.
- • Establish real-time threat detection and anomaly response to rapidly identify suspicious authentication and privilege escalation events.
- • Centralize multi-cloud visibility and policy enforcement to quickly detect, investigate, and respond to access broker and credential threat activity.
