The evolution of malicious actors over the last four decades has shown that greed is greatly responsible for most of the cybersecurity incidents we keep witnessing. While in the 1980s virus authors sought to experiment, and erase data, the same breed of malicious actors now seek, in many cases, mostly one thing: information.
Credential Stealing Botnets
The Spamhaus Botnet Threat Update (Q2 2020) identifies the main activity of the largest botnets in operation. Out of the 20 listed in the report (see below), 9 are designed to steal credentials from their victims, including the top three.
Of course, botnets can and are designed with modules to accomplish many goals, but it is still telling that such emphasis would be put on credential stealing in the report. Many of those botnets are also quickly growing, with the AgentTesla botnet growing by 772% between Q1 and Q2 of 2020.
Immature Marketplaces for Stolen Information
The market for stolen information – and credentials – is still not mature in many ways. Bleeping Computer recently reported on three new markets that specialize in the sale of leaked data, sometimes though not always from ransomware groups.
Our own investigation is in line with the analysis from the news site in that these websites are small in size and scope, provide little to no information on the source of the data for sale, and demonstrate low traffic in terms of supply, meaning that new datasets put up for sale appear rarely. Public marketplaces that seek publicity may therefore not be the main source of threats for organizations like yours.
Much more established websites are in use by malicious actors to purchase stolen credentials. These websites do not seek publicity, and ride the wave of credential stealing by contacting journalists and researchers. We profiled one such market in a research report recently published on our website. This marketplace operates much more under the radar and has in this case credentials for sale from hundreds of thousands of victims.
Another report from DarkTracer found that over 2,000 companies had their data stolen and potentially leaked on ransomware group websites. This is a high number, and a growing source of concern for organizations. Ransomware groups would rather now exfiltrate and ransom stolen data, than encrypt data locally. The former brings in much higher ransoms, and has the benefit of generating multiple revenue streams by reselling the data over and over again.
A Shift Born Out of Necessity?
Malicious actors adapt to their environment. They have a sixth sense to identify if and what behavior is becoming increasingly monitored, and switch to a new field of activities when a market becomes too hot, and the risks of arrests too high.
Russian State actors recently changed their behavior and strategy when their tactics were made public by U.S. intelligence agencies. Similarly, when our report on botnets in Canada was published, we saw a banner appear on the top of the marketplace, seeking information on new reports about the marketplace.
If credential and information stealing has become so popular, it is in part because demand for this information has risen over the past years. The virtualization of the economy is making it more and more possible to launch scams and frauds, which feed on stolen information and credentials.
But it is also perhaps because regulation of other online and offline activities has pushed malicious actors towards this profit-driven illicit industry. With stolen software, music and games becoming less and less interesting, there is an opportunity to seize around niche services such as providing stolen information and credentials.
The good news is that regulation can work as suggested above, and that a push by law enforcement could deter – or at least displace the problem of credential and information stealing. It will be interesting to analyze in the coming months if the pressure is indeed increased against that industry, where malicious actors will go to next en masse.
Already, the price of cryptocurrency is making more than one interested, and it would not be surprising to see that cryptocurrency users are now more than ever in danger of attacks against their portfolio.
