Tag Archive for: Logs

Threat Spotlight: Stealer Logs & Corporate Access

/in


Executive Overview

Over the last three years, infostealer malware variants have become a “popular trend” in the cybercriminal Malware-as-a-Service (MaaS) ecosystem. Doing precisely as their category implies, these malware variants steal information from users’ devices. After infecting the device, the malware employs various techniques to remain undetected while sending data to the malicious actors’ command and control infrastructure. 

To understand the threat infostealer malware poses, we examined more than 19.6 million stealer logs to identify trends like:

  • Number of infections containing corporate credentials
  • Average price of infostealers with banking access
  • Prominent consumer applications appearing in the logs

Read our full report, Stealer Logs & Corporate Access, or continue reading for the highlights. 

The Details

Analyzing more than 19.6 million stealer logs showed trends that indicate malicious actors value access to corporate resources and financial services accounts. Based on the findings, malicious actors appear to use infostealer malware so that they don’t have to purchase a consumer application subscription or so they can steal money by compromising a bank account. 

At a high level, the research found the following about stealer logs:

  • 376,107 (1.91%): access to corporate SaaS applications
  • 48,173:  access to a resource that includes a single sign on credential representing almost certain access to corporate resources
  • 200,000 (1%): access to leading AI provider credentials

(Note, these are from users of the applications being compromised with infostealer malware. We have no reason to believe that these organizations themselves have suffered a security incident or breach) 

Meanwhile, looking at infostealer logs through the eyes of the consumer, the data shows:

  • 46.9% had access to Gmail credentials
  • $112: average cost of financial services-related logs compared to $15 across all log sales

We collected data from four primary sources:

  • Public Telegram “logs” channels: “free samples” of primarily consumer application access logs used to advertise the paid Telegram rooms
  • Private Telegram channels: invitation-only, paid channels with higher-value logs

Source…

Info-Stealing Malware Populates ‘Cloud of Logs’ Offerings

/in


Cybercrime
,
Fraud Management & Cybercrime

Private Subscription Services Emerge, Together With Fresh Strains of Info Stealers

Mathew J. Schwartz (euroinfosec) •
May 15, 2023    

Info-Stealing Malware Populates 'Cloud of Logs' Offerings
Advertisement for TitanStealer, first offered for sale in November 2022 via the Russian-language BHF and Dark2Web forums (Source: Kela)

Cybercrime watchers continue to see strong demand for fresh strains of information-stealing malware and the personal information being harvested by such info stealers.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources


Information stealers exfiltrate data from an infected system – aka “bot” – and batch it into “logs” containing “browser login information including passwords, cookies, credit card details, crypto wallet data and more,” threat intelligence firm Kela said in a new report.


Phishing is the main distribution method, oftentimes through links to compromised or malicious websites. One recent campaign tied to the Lumma and Aurora stealers used “typosquatted” domains – malicious domains with names resembling legitimate ones – that pretended to offer access to OpenAI and ChatGPT, cybersecurity firm Cyble reported.


After infecting systems and collecting logs, criminals often sell the stolen data via automated bot markets such as Genesis, RussianMarket and TwoEasy, via forums such as BHF and Dark2Web, and Telegram messaging app channels. While Genesis was disrupted last month via an international police operation accompanied by more than 100 arrests worldwide, the BBC reported Friday that the darknet version of Genesis appears to remain alive and well.


One sign of the maturity of marketplaces selling account takeover services or stolen digital identities is the emergence in recent years…

Source…

Cyber Security Interview Questions and Answers

/in



Buying Bot-Stolen Logs: Marketplaces Make It ‘2easy’

/in


Blockchain & Cryptocurrency
,
Cryptocurrency Fraud
,
Cybercrime

Genesis Market, 2easy, Russia House Offer Inexpensive Access to Stolen Credentials

Mathew J. Schwartz (euroinfosec) •
February 3, 2022    

Buying Bot-Stolen Logs: Marketplaces Make It '2easy'
Stolen data from a RedLine bot (Source: Kela)

A variety of underground markets exist to help malware-wielding criminals monetize their attacks, including via log marketplaces such as Genesis, Russian Market and 2easy, which offer for sale batches of data that can be used to emulate a victim, whether it’s a consumer, an enterprise IT administrator or anyone in between.

See Also: Live Webinar | Nuclear Ransomware 3.0: We Thought It Was Bad and Then It Got Even Worse


Such marketplaces are a reminder that extensive information continues to be harvested by information-stealing malware, such as RedLine and AZORult.


These infostealers often get distributed via booby-trapped emails and websites and after infecting a PC, they can exfiltrate many different types of data, including passwords.




Experts say the most valuable data, such as cryptocurrency wallets and stored payment card data, often gets siphoned off first by attackers. Sometimes, they use this information themselves, for example, to try and steal all of the bitcoins from a victim’s cryptocurrency wallet. In other cases, however, attackers may be wielding information-stealing malware they have obtained from a service…

Source…