Stealer logs, and their complex C2C market.

In its research report “Stealer logs and Corporate Access,” Flare explains that infostealer malware and its surrounding criminal-to-criminal economy has developed into a complex ecosystem that is growing at an exponential rate. “The explosive growth rate of infostealer malware represents an ongoing and significant threat to all organizations. Employees regularly save credentials on personal devices or access personal resources on organizational devices, increasing the risk of infection,” writes Flare. The report explains driving factors in the infostealer market by examining over 19.6 million stealer logs, which are regularly sold on the dark web after an infection. By examining the logs, Flare was able to determine that 46.9% (more than 8 million) had access to Gmail credentials while just over 1.91% had access to business application credentials like AWS, Salesforce, and GCP. Logs which contained credentials to financial institutions were sold for almost 7.5 times as much as those with access to consumer applications. Most stealer logs are distributed on Telegram via private or public channels, but Russian Market, a dark web marketplace, is also a popular site to purchase such logs. Genesis Market had been a popular clear web online log store until recent takedown by law enforcement. It now operates exclusively and at a reduced rate on the dark web. 

How are the cyber criminals getting these logs?

An infostealer log is simply the full list of credentials harvested from an infected machine, whether obtained by phishing or some other vector. The report outlines three tiers of infostealer logs for sale, with tier one being high value corporate credentials, tier two being banking and financial service credentials, and tier three being consumer application credentials. The credentials are mostly gathered from accounts that cross their personal devices and work devices and save their credentials to their browser for ease of access. While saving credentials may be easier in the long run, the user is essentially putting their accesses in one place allowing threat actors to easily acquire them. 

Erich Kron, security awareness advocate at KnowBe4 wrote, “This reuse of passwords can be a significant issue that people often underestimate the impact of, but it leads to the practice of credential stuffing, where a known good username and password are tried on multiple websites, using tools that are free or extremely inexpensive and leading to the compromise of email accounts, retail shopping accounts and bank accounts among others, and has been responsible for hundreds of thousands of account takeover compromises this year alone. Using Multi-Factor Authentication (MFA) and educating users about the threat that password reuse poses, can go a long way toward thwarting the issues related to the stolen or reused passwords which are causing so many issues.” 

Tomer Bar, VP of Security Research at SafeBreach explained in an email that the surge in remote work is adding to this problem, and writes “We agree with the recommendation in the analysis and would like to add that continuous security validation should also be done on all laptop and remote devices.“

How are these logs used?

The ecosystem surrounding these stealer logs is complex, and it seems that most of the lower-tier logs are used to gain access to subscription services like Spotify or Netflix so the “hacker” can save some money. But Flare explains the market path of a log containing corporate access credentials is much more sophisticated, “Based on the evidence from the dark web forum Exploit.IN, we rate it as highly likely that initial access brokers (IAN) are using stealer logs as a principle source to gain an initial foothold to corporate environments that can then be auctioned off on top-tier dark web forums.” This indicates that infostealers are the tip of the spear in large-scale cyber attacks. 

It’s important to understand the large economy that enables such attacks: without the logs, IANs wouldn’t get access so easily, and without the access, cybercriminals wouldn’t be able to get into a network and do as they please with the protected information inside. This economy provides a lower barrier to entry as criminals now need only to specialize in a specific phase of the attack. They can buy the work of others to complete their attack. 

Comment and advice on stealer logs from other industry experts.

(The following comments were added at 12:45 PM ET, July 26th, 2023.)

Colin Little, security engineer at Centripetal, wrote to share what's emerged from discussions with customers of this kind of incident. “When I speak to customers about this type of event, and begin to discover the scope and impact of the damage that may be observed as a result, there are two common themes. One, the answer on the enterprise approach to personal assets is similar in many ways, but distinctly different in key ways. Two, customers are surprised at what we find because they have controls in place such as physical/logical network segmentation, user-awareness training and sometimes perimeter security devices for enterprise-operated Bring Your Own Device (BYOD) networks.

"The fact is, however, an enterprise's cybersecurity tools and in many cases cybersecurity investigations won't be applied to personal devices, which means if there is an infected personal device the enterprise is not alerted to its presence. Likewise, while it is possible to advise users not to use their work assets for personal use, it can be challenging if not impossible to enforce these recommendations when the factors extend beyond the enterprise and into third party services.

"There are a plethora of mitigating factors and best practices, which help the enterprise limit the risk and damage caused by theft of credentials. At the end of the day, it would be a monumental task to not only observe these, but also work to both secure personal devices as well as determine if there had been any credential thefts, what their sources were, and what the scope of the actual impact and risk are.

"The key to success that is not covered here is, I believe, in operationalized threat intelligence. By getting the right quantity and quality of intelligence on the network, applying threat hunting and analytics, and having the right people with the right access to intelligence reports from multiple sources it is possible to not only detect infected personal assets on a BYOD network which is part of the enterprise, but to also promote self-awareness for the enterprise from these various sources of intelligence and determine if enterprise credentials have been seen in info-stealer logs.

"It's a big undertaking and cost when doing it all in-house, not to mention a lot of what/where/how questions that need to be answered in the process. When it all comes together though, we can then not only validate the mitigating factors and best practices, but can precisely target where they are needed most.”

We also received comments from Darren James, senior product manager with Specops Software, who recommended some steps organizations might take to mitigate the effect of inforstealers. “This latest discovery highlights that organizations must have tighter controls over the devices on which their users can use their corporate credentials. It comes as no surprise that after the COVID 19 pandemic many employees were asked to work from home and use mobile devices that might not meet secure standards, or company devices that were designed purely for office use may have been rapidly deployed to an employee’s home. This essentially created an attack surface where a user may have been given excess permissions on their corporate devices, or exposed them to use by other members of the family, who may have unwittingly installed the information stealer malware that has captured these credentials. So, what can we do about it?

1. "Use a system that can detect when a user’s password has been compromised and force the user to change it.
2. "Enforce the use of “fatigue resistant” MFA wherever possible. All the affected websites mentioned support at least 2FA.
3. "Investigate threat intelligence solutions that intercepts these malware transmissions as they happen and alerts you to any future breaches that relate to your company and your employees.
4. "Explore ways of controlling what software can be installed on devices that access corporate applications and resources.
5. "Keep your antivirus and operating systems patched and up to date.
6. "Regularly perform cyber awareness training to change the create a “secure by default” behavior within your organization.

 "These steps above are relatively easy to deploy and have minimal impact on your end users and reduce your company’s cyber risk significantly.”