In a recent research report titled “Stealer logs and Corporate Access,” cybersecurity company Flare shed light on the growing and complex ecosystem surrounding infostealer malware. The report revealed that infostealer malware is expanding at an exponential rate, posing a significant threat to organizations worldwide.
Flare’s research was based on an analysis of over 19.6 million stealer logs, which are logs of credentials that are harvested from infected machines and regularly sold on the dark web. The analysis revealed that 46.9% of these logs had access to Gmail credentials, while just over 1.91% had access to business application credentials such as AWS, Salesforce, and GCP. Notably, logs containing credentials to financial institutions were sold for almost 7.5 times the price of those with access to consumer applications.
The distribution of these stealer logs primarily occurs on the messaging platform Telegram, both in private and public channels. Additionally, the Russian Market, a dark web marketplace, is also a popular site for purchasing these logs. Flare noted that Genesis Market, an online log store, had been a popular platform until it was recently taken down by law enforcement. However, it now operates exclusively on the dark web at a reduced rate.
So, how exactly do cybercriminals obtain these logs? The logs are primarily obtained through phishing attacks or other vectors that give threat actors access to an infected machine. Flare categorized the stealer logs into three tiers. Tier one includes high-value corporate credentials, tier two encompasses banking and financial service credentials, and tier three consists of consumer application credentials. These credentials are often saved on personal devices or browsers for convenience, which increases the risk of infection.
Erich Kron, a security awareness advocate at KnowBe4, emphasized the danger of password reuse. He explained that reusing passwords across multiple websites can lead to credential stuffing attacks, where threat actors try known usernames and passwords on various platforms. This practice has resulted in countless account takeover compromises. Kron recommended the use of multi-factor authentication (MFA) and educating users about the risks of password reuse to mitigate these issues.
The surge in remote work has exacerbated the problem of infostealer malware. Tomer Bar, VP of Security Research at SafeBreach, suggested that continuous security validation should be conducted on laptop and remote devices to address this issue.
The stealer logs obtained by cybercriminals serve various purposes within the criminal ecosystem. Lower-tier logs are often used to gain unauthorized access to subscription services, such as Spotify or Netflix. On the other hand, logs containing corporate access credentials are more valuable and are typically used to launch large-scale cyber attacks. Flare’s report highlighted that the logs are used by initial access brokers (IAN) to gain a foothold in corporate environments, which are then auctioned off on top-tier dark web forums.
It is essential to understand the broader economy that fuels these attacks. Without the availability of stealer logs, initial access brokers would struggle to gain access to corporate environments, hindering cybercriminals’ ability to exploit and misuse sensitive information. This ecosystem has lowered the barrier to entry for criminals, allowing them to specialize in specific phases of the attack and purchase the necessary tools or information from others.
Industry experts also shared their insights on stealer logs and provided advice on mitigation strategies. Colin Little, a security engineer at Centripetal, highlighted the need for stronger controls over personal devices that employees use for work-related activities. He emphasized that many cybersecurity tools and investigations are not applied to personal devices, leaving them vulnerable to infections. Little stressed the importance of operationalized threat intelligence to detect infected personal assets on enterprise networks and promote self-awareness within organizations.
Darren James, senior product manager with Specops Software, suggested several steps that organizations can take to mitigate the impact of infostealers. These include using systems that detect compromised passwords and enforce the use of multi-factor authentication (MFA), investing in threat intelligence solutions, controlling software installations on devices accessing corporate resources, keeping antivirus and operating systems up to date, and regularly conducting cyber awareness training.
In conclusion, the threat posed by infostealer malware and the surrounding criminal-to-criminal economy is growing rapidly. Organizations must be proactive in implementing robust cybersecurity measures to protect their sensitive information and prevent unauthorized access. By understanding the mechanisms behind these attacks and adopting best practices, businesses can significantly reduce the risk of falling victim to infostealer threats.