The cybercrime underground has lengthy functioned as an open market the place sellers of services are paired with consumers and contractors. One of the vital helpful commodities on this market are stolen credentials since they’ll present attackers with entry into networks, databases, and different property owned by organizations. It is no shock to see cybercriminals centered on this helpful commodity.
“Final 12 months, 4,518 information breaches had been reported,” researchers from Flashpoint mentioned in a brand new report. “Risk actors uncovered or stole 22.62 billion credentials and private data, starting from account and monetary info to emails and Social Safety numbers.” Over 60% of those credentials and different particulars had been stolen from organizations within the info sector, and these organizations usually host information for purchasers from many different industries.
Flashpoint, which makes a speciality of cyber menace intelligence, continually displays cybercriminal markets, boards, and different communication channels. Thus far its database of menace intel contains 575 million posts on unlawful boards, 3.6 billion chat messages, 39 billion compromised credentials, 85 billion distinctive e-mail/password credentials, and over 2 billion bank card numbers that had been stolen after which shared amongst cybercriminals.
“The proliferation of illegally obtained information offers menace actors ample alternatives to bypass organizational safety measures and controls—empowering ransomware teams like LockBit to carry information for ransom, or promote or expose it on illicit markets.”
Ransomware’s service-based fashions
Most ransomware gangs function on a service-based mannequin. The group pays contractors referred to as associates to interrupt into networks, get hold of administrative entry and deploy their ransomware program for a big reduce of any ransom funds victims make. Many of those associates in flip purchase entry into networks from different cybercriminals referred to as preliminary entry suppliers, and these suppliers usually depend on stolen credentials to realize that entry, particularly credentials for distant entry providers reminiscent of VPNs and Distant Desktop Protocol (RDP).
Essentially the most profitable ransomware group in 2022 was LockBit, whose exercise spiked after one other infamous ransomware gang referred to as Conti shut down its operations in Might. LockBit managed to draw a lot of Conti’s former collaborators by revamping its associates program with higher offers.
Final 12 months Flashpoint recorded 3,164 victims that ransomware gangs listed publicly, a rise of seven% over the earlier 12 months. Based mostly on traits seen in 2023, the corporate estimates the variety of victims this 12 months is on observe to exceed the 2022 quantity.
“In contrast to most fashionable organizational safety groups, menace actors don’t function in silos, and as an alternative pool assets whereas studying from each other,” the corporate mentioned. “Flashpoint is discovering that adept menace actors and ransomware gangs more and more share code, along with techniques, instruments, and procedures—largely because of the proliferation of illicit markets.”
Similar to ransomware gangs come and go in what looks as if a unending cycle of rebranding, unlawful markets do, too. Whereas there have been a number of legislation enforcement takedowns or self-shutdowns of huge and long-running cybercrime markets — SSNDOB, Raid Boards, and Hydra being some notable ones — others rapidly popped as much as take their place. Cybercriminals often keep various communication channels like Telegram, the place they’ll hold one another knowledgeable and promote new various markets after one disappears. In actual fact, simply final 12 months Flashpoint recorded 190 new illicit markets emerge. One discussion board marketed as a alternative for Raid Boards rose from 1,500 members in March 2022 to over 190,000 by November.
“Illicit markets instantly affect information breaches and cyberattack,” Flashpoint mentioned. “Fraudsters, preliminary entry brokers, ransomware teams, and superior persistent menace (APT) teams alike flip to those markets, outlets, and boards to commerce in stolen credentials and private data, that are leveraged in quite a lot of illicit actions.”
How do attackers get hold of credentials?
Knowledge breaches are one of many prime sources for uncovered credentials, however whereas the highest trigger for particular person information breaches is hacking, this methodology is barely accountable for 28% of the leaked credentials and data that make their means on underground markets. Over 71% of credentials and private data had been leaked from solely 5% of information breaches and had been the results of misconfigurations of databases and providers.
“This information exhibits that when organizations make use of distributors to carry out these providers on their behalf, those self same distributors depart delicate buyer and worker information out within the open,” the Flashpoint researchers mentioned. “As such, it’s vital for enterprise leaders to have an lively vendor danger administration program, or to make sure that their digital provide chain is implementing efficient safety controls.”
Phishing is one other well-liked means of stealing credentials from customers and 2022 was a document 12 months for phishing pages recorded by Flashpoint. This exercise has additionally been commoditized with phishing kits being routinely out there to buy and new methods being developed. One instance is EvilProxy, a phishing-as-a-service platform that makes use of a person-in-the-middle strategy to intercept login credentials in addition to multi-factor authentication tokens.
Malware packages, specifically info stealers that may extract login credentials saved in browsers and different purposes, are additionally in excessive demand on underground boards. Alongside present industrial stealers like Raccoon, RedLine, and Vidar, new such packages entered the market in 2022 together with AcridRain and TyphonStealer.
“Stealers have been a prolific instrument in 2022, accountable for supplying log outlets with large quantities of compromised credentials,” the Flashpoint researchers mentioned. “The usage of stealers has been tied to a number of high-profile breaches—notably by the info extortion gang LAPSUS$.”
Lastly, exploits for recognized vulnerabilities are additionally a scorching commodity they usually can result in information breaches. Flashpoint analysts recorded 766 situations the place cybercriminals mentioned vulnerabilities by CVE identifier on underground boards with costs for dependable exploits fetching between $2,000 and $4,000 however going as much as $10,000 for extra superior ones. Essentially the most talked about weaponized vulnerabilities final 12 months had been CVE-2021-35587, CVE-2021-39144, CVE-2022-21497, CVE-2022-22960, CVE-2022-24112, CVE-2022-24706, CVE-2022-31675, CVE-2022-36804, CVE-2022-40684 and CVE-2022-41045.
Copyright © 2023 IDG Communications, Inc.