Defender-in-the-middle: How to reduce damage from info-stealing malware

Victoria Kivilevich, Director of Threat Research

Bottom Line Up Front

  • Following recent hacks of Uber and Rockstar Games, KELA decided to take a look at attacks that started with compromised corporate credentials being leaked or traded in the cybercrime ecosystem.
  • Nowadays, this ecosystem enables threat actors to easily acquire such credentials that were accessed by information-stealing malware and offered for sale on automated botnet marketplaces, such as Genesis, Russian Market and TwoEasy. 
  • While some threat actors are looking for banking and e-commerce credentials that they can use to cash out easily by stealing money from a compromised account, smarter attackers target organizations and their corporate credentials. These attackers are exchanging tips for finding such credentials, and they use the cybercrime ecosystem to buy them for a few dollars. 
  • Luckily, defenders can access the same cybercrime ecosystem and can have the same visibility as a threat actor that is planning an attack. Threat intelligence solutions can be used effectively to monitor exposed assets and reduce attack surface by remediating exposures or taking down compromised data. 
  • It’s crucial to consider not only direct assets of the company, but also workspaces hosted by third parties, with Slack being a perfect example: based on KELA’s research, thousands of unique workspaces were compromised and could be used for attacks similar to the Electronic Arts incident.
  • The evolution of cybercrime — focusing on servitization (paying for a service instead of buying the equipment) and sales automation, as well as increased visibility of goods — will drive more threat actors to use this ecosystem.

When a big-scale cyberattack happens, every security professional on the side of a victim can’t help but ask, “At which point could we stop it?” A decade ago, the answer would have focused mostly on suspicious activity inside a compromised network: what software, what policies and what people failed to detect unauthorized access and malicious activity. 

Back then, enterprise defenders had low visibility into the reconnaissance stage of attacks, which includes a threat actor researching a target and gathering information that may help to compromise the company. Threat actors, in their turn, were more used to orchestrate targeted attacks (think of ransomware incidents) from scratch, having less visibility into already-performed opportunistic attacks such as phishing campaigns. 

Nowadays, a growing cybercrime ecosystem enables threat actors to obtain and use data gained by other actors, turning one attacker’s trash into another attacker’s treasure. From malware-as-a-service to stolen databases and exposed credit card data an attacker familiar with cybercrime marketplaces and forums can access a variety of services and data with one click and a few dollars. Thus, opportunistic attacks serve as a source for targeted big attacks that end up in media headlines. 

Luckily — coming back to the question “At which point could we stop it?” — defenders can access the same cybercrime ecosystem and can have the same visibility as a threat actor that is planning an attack. This access means that they could intervene as “defender-in-the-middle” — in between opportunistic and targeted attacks, with this middle being cybercrime sources. 

A skilled and equipped defender can access these markets and forums, find their company’s exposed information and act to prevent further exploitation of this data. To discuss it practically, let’s take a look at the recent attacks that started with a piece of information being leaked or traded in the cybercrime ecosystem, namely, credentials acquired by information-stealing malware, which becomes a popular attack vector.

Six months into Breached: The legacy of RaidForums?

Yael Kishon, Threat Intelligence Analyst

On March 14, 2022, a new English-language cybercrime forum called Breached (also known as BreachForums) launched, as a response to the closure and seizure of the popular RaidForums. Breached was launched with the same design by the threat actor “pompompurin” as “an alternative to RaidForums,” offering large-scale database leaks, login credentials, adult content, and hacking tools. 

In late January 2022, three prominent actors from RaidForums were arrested after the domain was seized – the administrator and creator of the forum “Omnipotent” and two other administrators, “Jaw” and “moot.” According to the US Department of Justice, the owner of RaidForums was Portuguese national Diogo Santos Coelho (aka Omnipotent), who was charged with conspiracy, access device fraud, and aggravated identity theft. Coelho and his partners are alleged to have designed the forum’s software and computer infrastructure and managed the forum, promoting database exchange. 

After the closure of RaidForums, it was only a few weeks until the launch of Breached. And in  the first six months of its existence, Breached has become the new platform for database exchange, attracting more than 82,000 registered users. KELA explored whether Breached has actually replaced RaidForums as the most popular database exchange site and analyzed the top actors’ activities and trends associated with the new forum.