April 13, 2024

The cybercrime underground has lengthy functioned as an open market the place sellers of services and products are paired with consumers and contractors. Probably the most useful commodities on this market are stolen credentials since they’ll present attackers with entry into networks, databases, and different belongings owned by organizations. It is no shock to see cybercriminals centered on this useful commodity.

“Final yr, 4,518 information breaches have been reported,” researchers from Flashpoint mentioned in a new report. “Menace actors uncovered or stole 22.62 billion credentials and private information, starting from account and monetary info to emails and Social Safety numbers.” Over 60% of those credentials and different particulars have been stolen from organizations within the info sector, and these organizations typically host information for purchasers from many different industries.

Flashpoint, which focuses on cyber risk intelligence, always displays cybercriminal markets, boards, and different communication channels. So far its database of risk intel contains 575 million posts on unlawful boards, 3.6 billion chat messages, 39 billion compromised credentials, 85 billion distinctive e-mail/password credentials, and over 2 billion bank card numbers that have been stolen after which shared amongst cybercriminals.

“The proliferation of illegally obtained information provides risk actors ample alternatives to bypass organizational safety measures and controls—empowering ransomware teams like LockBit to carry information for ransom, or promote or expose it on illicit markets.”

Ransomware’s service-based fashions

Most ransomware gangs function on a service-based mannequin. The group pays contractors referred to as associates to interrupt into networks, receive administrative entry and deploy their ransomware program for a big minimize of any ransom funds victims make. Many of those associates in flip purchase entry into networks from different cybercriminals referred to as preliminary entry suppliers, and these suppliers typically depend on stolen credentials to achieve that entry, particularly credentials for distant entry companies corresponding to VPNs and Distant Desktop Protocol (RDP).

Essentially the most profitable ransomware group in 2022 was LockBit, whose exercise spiked after one other infamous ransomware gang known as Conti shut down its operations in Could. LockBit managed to draw lots of Conti’s former collaborators by revamping its associates program with higher offers.

Final yr Flashpoint recorded 3,164 victims that ransomware gangs listed publicly, a rise of seven% over the earlier yr. Primarily based on developments seen in 2023, the corporate estimates the variety of victims this yr is on monitor to exceed the 2022 quantity.

“In contrast to most trendy organizational safety groups, risk actors don’t function in silos, and as an alternative pool sources whereas studying from each other,” the corporate mentioned. “Flashpoint is discovering that adept risk actors and ransomware gangs more and more share code, along with ways, instruments, and procedures—largely because of the proliferation of illicit markets.”

Identical to ransomware gangs come and go in what looks as if a endless cycle of rebranding, unlawful markets do, too. Whereas there have been a number of legislation enforcement takedowns or self-shutdowns of massive and long-running cybercrime markets — SSNDOB, Raid Boards, and Hydra being some notable ones — others rapidly popped as much as take their place. Cybercriminals normally keep various communication channels like Telegram, the place they’ll preserve one another knowledgeable and promote new various markets after one disappears. In reality, simply final yr Flashpoint recorded 190 new illicit markets emerge. One discussion board marketed as a alternative for Raid Boards rose from 1,500 members in March 2022 to over 190,000 by November.

“Illicit markets immediately affect information breaches and cyberattack,” Flashpoint mentioned. “Fraudsters, preliminary entry brokers, ransomware teams, and superior persistent risk (APT) teams alike flip to those markets, retailers, and boards to commerce in stolen credentials and private information, that are leveraged in a wide range of illicit actions.”

How do attackers receive credentials?

Knowledge breaches are one of many prime sources for uncovered credentials, however whereas the highest trigger for particular person information breaches is hacking, this methodology is barely liable for 28% of the leaked credentials and information that make their manner on underground markets. Over 71% of credentials and private information have been leaked from solely 5% of information breaches and have been the results of misconfigurations of databases and companies.

“This information reveals that when organizations make use of distributors to carry out these companies on their behalf, those self same distributors depart delicate buyer and worker information out within the open,” the Flashpoint researchers mentioned. “As such, it’s essential for enterprise leaders to have an lively vendor danger administration program, or to make sure that their digital provide chain is implementing efficient safety controls.”

Phishing is one other well-liked manner of stealing credentials from customers and 2022 was a document yr for phishing pages recorded by Flashpoint. This exercise has additionally been commoditized with phishing kits being routinely out there to buy and new strategies being developed. One instance is EvilProxy, a phishing-as-a-service platform that makes use of a person-in-the-middle method to intercept login credentials in addition to multi-factor authentication tokens.

Malware applications, particularly info stealers that may extract login credentials saved in browsers and different functions, are additionally in excessive demand on underground boards. Alongside present industrial stealers like Raccoon, RedLine, and Vidar, new such applications entered the market in 2022 together with AcridRain and TyphonStealer.

“Stealers have been a prolific device in 2022, liable for supplying log retailers with large quantities of compromised credentials,” the Flashpoint researchers mentioned. “The usage of stealers has been tied to a number of high-profile breaches—notably by the information extortion gang LAPSUS$.”

Lastly, exploits for recognized vulnerabilities are additionally a sizzling commodity and so they can result in information breaches. Flashpoint analysts recorded 766 cases the place cybercriminals mentioned vulnerabilities by CVE identifier on underground boards with costs for dependable exploits fetching between $2,000 and $4,000 however going as much as $10,000 for extra superior ones. Essentially the most talked about weaponized vulnerabilities final yr have been CVE-2021-35587, CVE-2021-39144, CVE-2022-21497, CVE-2022-22960, CVE-2022-24112, CVE-2022-24706, CVE-2022-31675, CVE-2022-36804, CVE-2022-40684 and CVE-2022-41045.

Copyright © 2023 IDG Communications, Inc.