Source: go.theregister.com – Author: Team Register
There appears to be an uptick in interest among cybercriminals in infostealers – malware designed to swipe online account passwords, financial info, and other sensitive data from infected PCs – as a relatively cheap and easy way to get a foothold in organizations’ IT environments to deploy devastating ransomware.
Miscreants have plenty of ways to gain access to a business’s internal systems. For example, they can brute-force their way in, logging into accounts with weak, default, or easily guessed passwords. They can buy their way in using so-called initial access brokers, who perform the actual infiltration. They can use credential stuffing, in which they obtain username-password combinations for one online service and see if those creds let them into another service as too many people reuse the same password everywhere. They could develop or obtain exploits for vulnerabilities in an org’s IT estate, and use those to gain remote entry.
Those methods can be tricky, expensive, a faff, or a dead end. An alternative and relatively straightforward way in would be to trick, say, an employee into running an infostealer on their work or home PC, and use credentials collected from that spyware to gain further access to an IT network. Infostealers tend to be used to gain access to victims’ online bank accounts, remote desktop accounts, cryptocurrency wallets, email inboxes, and so on.
It turns out, and logically it makes total sense, that these software nasties are good for getting hold of login details to sneak into valuable corporate environments.
And if ransomware crews don’t want to deploy infostealers themselves, they have the option of paying for copies of credentials harvested from countless infected PCs and exploiting them to get into networks where they can run their extortionware, which might exfiltrate documents, encrypt data, demand a ransom to end the pain, and so on.
We’d even be willing to put money on ransomware crews making use of infostealers, one way or another, for some time already, and it’s only now that cybersecurity analysts are highlighting the growing approach. In any case, it’s something for security teams to bear in mind when managing access controls, user trust, threat detection, and all that jazz.
Who’s at it?
We’re told that notorious ransomware gang LockBit, before being at least somewhat disrupted by an international law-enforcement effort, wanted to buy the source code to the Raccoon Stealer to use for its own purposes. Former Trickbot/Conti ransomware developers were spotted collaborating with FIN7, another financially motivated cybercrime gang, on new malware that, among other things, delivers the Project Nemesis infostealer.
Even the prolific SIM-swappers-turned-extortionists group Scattered Spider has been known to obtain initial access into victim organizations’ environments via infostealers such as RedLine, according to Kimberly Goody, Mandiant’s head of cybercrime analysis.
“The cost of [infostealers], or the cost of [login credentials] obtained using that tool, is so insignificant compared to the amount of money these threat actors are making and the financial effect they are having on victim organizations,” she told The Register.
A monthly subscription to the RedLine stealer, as of February, costs $100, according to at least one advertisement. Or, criminals can purchase the “pro-version” for $600, although the ad spotted by the Mandiant team didn’t elaborate on what extra capabilities or services the pro-version includes.
These ads highlight the type of credentials the malware can steal, and the top categories of applications referenced are browser and cryptocurrency-related apps. “We do see actors referencing the ability to steal VPN credentials, and that would be something that could help enable ransomware intrusions,” Goody said.
If I leverage an infostealer, my ransomware is going to be more successful, and the end result is I get more bang for my buck
Google’s Mandiant recorded a 60 percent increase in infostealer advertisements on criminal marketplaces between 2021 and 2022, along with a thriving market for log files of stolen creds gathered by stealer malware. The team’s analysis tracked a 2,000 percent increase in these logs advertised on one such illicit souk, Russian Market, in 2022 compared to the year prior. The volume of logs posted during 2023 Russian Market “remained largely consistent,” Goody said.
“This increase in advertisements on these underground forums, combined with the increase in logs that we’re seeing on the shops, suggests to us that the popularity of infostealers and the interests by threat actors in using them has increased since the beginning of 2022.”
While ransomware gangs and other criminal organizations are paying attention, according to security researchers, corporations still aren’t giving infostealers the attention that they should.
“They are not necessarily associating infostealers with devastating impacts to their organizations,” Goody said.
“Historically, this type of activity has been something that orgnaizations have deprioritized over other activity or alerts they have seen in their environments,” she continued. “But noting the fact that ransomware actors are using this tool, this is a threat that organizations should take seriously.”
Stealers target AI account credentials, too
According to data released today, Kasperky’s threat intelligence team found infostealers swiped more than 36 million credentials between 2021 and 2023. OpenAI, in particular, experienced a surge in user credentials being grabbed from users’ PCs because of infostealers during this time period.
About 688,000 credentials for the super-lab’s services, including ChatGPT, were obtained between 2021 and 2023 and peddled on dark-web marketplaces, according to the Russian infosec house. Nearly all of these (663,719) appeared for sale in shadowy souks last year alone, representing a more than 3,161 percent increase compared to 2022.
“The credential compromises in question stem from infostealer activity,” noted Yuliya Novikova, head of Kaspersky Digital Footprint Intelligence.
Log files, each containing a bundle of compromised online account details, usually retail for less than $1 a pop, Novikova told The Register.
“In fact, it is possible to come across log files priced as low as 10 cents,” Novikova added. “As a malware, infostealers are a commodity themselves. From 2015 to 2022, this particular malware made up 24 percent of all malware families that were distributed as a service on the dark web.”
The price tag on these as-a-service subscriptions ranges from about $100 to $300 per month, she added.
Big increase in infostealer activity
Similarly, an IBM X-Force report published earlier this month tracked a 266 percent increase in infostealer-related activity in 2023 compared to 2022. This likely contributed to the increase in criminals breaking into digital environments using stolen valid account credentials, making the front door the top initial access vector observed last year.
Plus, new infostealers such as Rhadamanthys, LummaC2, and StrelaStealer debuted and were actively used in 2023, according to the threat hunters.
“Malware operators tend to innovate in some areas more than others. Last year it was infostealer malware,” Michelle Alvarez, a manager for IBM X-Force’s strategic threat analysis team, told The Register.
- Infostealer malware, weak password leaves Orange Spain RIPE for plucking
- Orgs are having a major identity crisis while crims reap the rewards
- ALPHV/BlackCat responsible for Change Healthcare cyberattack
- Cybercrims: When we hit IT, they sometimes pay, but when we hit OT… jackpot
Criminals are “looking to see where they have the most [return on investment],” Alvarez added. “If I leverage an infostealer, my ransomware is going to be more successful, and the end result is I get more bang for my buck.”
X-Force also noted a trend of ransomware groups pivoting to infostealers last year, and says this suggests that stolen credentials have become the preferred method to gain initial access.
According to the security shop’s 2024 Threat Intelligence Index: “As threat actors invest in infostealers to grow their credential repository, enterprises are pushed into a new defense landscape where identity can no longer be guaranteed.” ®
Original Post URL: https://go.theregister.com/feed/www.theregister.com/2024/02/29/infostealers_increased_use/
Category & Tags: –
