Stolen credentials increasingly empower the cybercrime underground

The cybercrime underground has long functioned as an open market where sellers of products and services are paired with buyers and contractors. One of the most valuable commodities on this market are stolen credentials since they can provide attackers with access into networks, databases, and other assets owned by organizations. It’s no surprise to see cybercriminals focused on this valuable commodity.

“Last year, 4,518 data breaches were reported,” researchers from Flashpoint said in a new report. “Threat actors exposed or stole 22.62 billion credentials and personal records, ranging from account and financial information to emails and Social Security numbers.” Over 60% of these credentials and other details were stolen from organizations in the information sector, and these organizations generally host data for clients from many other industries.

Flashpoint, which specializes in cyber threat intelligence, constantly monitors cybercriminal markets, forums, and other communication channels. To date its database of threat intel includes 575 million posts on illegal forums, 3.6 billion chat messages, 39 billion compromised credentials, 85 billion unique email/password credentials, and over 2 billion credit card numbers that were stolen and then shared among cybercriminals.

“The proliferation of illegally obtained data gives threat actors ample opportunities to circumvent organizational security measures and controls—empowering ransomware groups like LockBit to hold data for ransom, or sell or expose it on illicit markets.”

Ransomware’s service-based models

Most ransomware gangs operate on a service-based model. The group pays contractors known as affiliates to break into networks, obtain administrative access and deploy their ransomware program for a large cut of any ransom payments victims make. Many of these affiliates in turn buy access into networks from other cybercriminals known as initial access providers, and these providers often rely on stolen credentials to gain that access, especially credentials for remote access services such as VPNs and Remote Desktop Protocol (RDP).

The most successful ransomware group in 2022 was LockBit, whose activity spiked after another notorious ransomware gang called Conti shut down its operations in May. LockBit managed to attract many of Conti’s former collaborators by revamping its affiliate program with better deals.

Last year Flashpoint recorded 3,164 victims that ransomware gangs listed publicly, an increase of 7% over the previous year. Based on trends seen in 2023, the company estimates the number of victims this year is on track to exceed the 2022 number.

“Unlike most modern organizational security teams, threat actors do not operate in silos, and instead pool resources while learning from one another,” the company said. “Flashpoint is finding that adept threat actors and ransomware gangs increasingly share code, in addition to tactics, tools, and procedures—largely thanks to the proliferation of illicit markets.”

Just like ransomware gangs come and go in what seems like a never-ending cycle of rebranding, illegal markets do, too. While there were several law enforcement takedowns or self-shutdowns of big and long-running cybercrime markets — SSNDOB, Raid Forums, and Hydra being some notable ones — others quickly popped up to take their place. Cybercriminals usually maintain alternative communication channels like Telegram, where they can keep each other informed and advertise new alternative markets after one disappears. In fact, just last year Flashpoint recorded 190 new illicit markets emerge. One forum advertised as a replacement for Raid Forums rose from 1,500 members in March 2022 to over 190,000 by November.

“Illicit markets directly impact data breaches and cyberattack,” Flashpoint said. “Fraudsters, initial access brokers, ransomware groups, and advanced persistent threat (APT) groups alike turn to these markets, shops, and forums to trade in stolen credentials and personal records, which are leveraged in a variety of illicit activities.”

How do attackers obtain credentials?

Data breaches are one of the top sources for exposed credentials, but while the top cause for individual data breaches is hacking, this method is only responsible for 28% of the leaked credentials and records that make their way on underground markets. Over 71% of credentials and personal records were leaked from only 5% of data breaches and were the result of misconfigurations of databases and services.

“This data shows that once organizations employ vendors to perform these services on their behalf, those same vendors leave sensitive customer and employee data out in the open,” the Flashpoint researchers said. “As such, it is critical for business leaders to have an active vendor risk management program, or to ensure that their digital supply chain is implementing effective security controls.”

Phishing is another popular way of stealing credentials from users and 2022 was a record year for phishing pages recorded by Flashpoint. This activity has also been commoditized with phishing kits being routinely available to purchase and new techniques being developed. One example is EvilProxy, a phishing-as-a-service platform that uses a person-in-the-middle approach to intercept login credentials as well as multi-factor authentication tokens.

Malware programs, in particular information stealers that can extract login credentials saved in browsers and other applications, are also in high demand on underground forums. Alongside existing commercial stealers like Raccoon, RedLine, and Vidar, new such programs entered the market in 2022 including AcridRain and TyphonStealer.

“Stealers have been a prolific tool in 2022, responsible for supplying log shops with massive amounts of compromised credentials,” the Flashpoint researchers said. “The use of stealers has been tied to several high-profile breaches—particularly by the data extortion gang LAPSUS$.”

Finally, exploits for known vulnerabilities are also a hot commodity and they can lead to data breaches. Flashpoint analysts recorded 766 instances where cybercriminals discussed vulnerabilities by CVE identifier on underground forums with prices for reliable exploits fetching between $2,000 and $4,000 but going up to $10,000 for more advanced ones. The most mentioned weaponized vulnerabilities last year were CVE-2021-35587, CVE-2021-39144, CVE-2022-21497, CVE-2022-22960, CVE-2022-24112, CVE-2022-24706, CVE-2022-31675, CVE-2022-36804, CVE-2022-40684 and CVE-2022-41045.