What lies beneath this kind of illegal access brokerage, and why do the stolen credentials still work?

Cyber researchers have identified an uptick in the volume of stolen credentials for sale on underground markets, including from personal employee devices that facilitate entry into corporate networks.

The malware responsible for this harvesting of corporate data—called “infostealers”—is a growing threat to enterprises.

Worse still, one of the leading forums for stolen credentials in Russian recently added a new feature that allows its crooked users to preorder stolen credentials with a deposit of just US$1,000, according to Alex Tilley, Head of Threat Intelligence (Asia Pacific and Japan), Secureworks, whose Counter Threat Unit is tracking the development of the infostealer market.

Read on to find out more of his cybersecurity insights shared with CybersecAsia.net.

CybersecAsia: Could you give a short update on the recent uptick in the volume of stolen credentials for sale on underground markets, and what you think are the factors causing this?

Alex Tilley (AT): The sheer volume of stolen credentials held in so-called “collector” databases by criminals is mind boggling.

For many years they only used to go after people’s bank accounts, so other organizations were largely not affected. With the efforts and resources dedicated by banks to securing bank accounts and rolling out things like multi-factor authentication (MFA, which controls the damage caused by infostealers) the criminals have shifted to attacking other organizations.

Therefore, this trove of login credentials for companies that, historically has not been widely used, is coming back into fashion as cybercriminals seek to directly compromise organizations for extortion or ransomware attacks. 

Alex Tilley, Head of Threat Intelligence (Asia Pacific and Japan), Secureworks

CybersecAsia: How will the potential evolution of the ‘access for sale’ business model impact the already high level of cybersecurity risks worldwide?

AT: Massively, we are already seeing the move to the so called “access broker” business become quite mature. Cybercriminals see the amount of money that can be made by attacking organizations directly using already stolen credentials; couple this with lax password-change policies and a lack of MFA, and you can see how organizations face a significant issue with stolen credentials being used to compromise their networks.

CybersecAsia: Other than the usual cybersecurity measures recommended for all organizations, what specific measures do you recommended for preventing credentials from being stolen, amid highly sophisticated scam and phishing techniques such as deepfakes?

AT: Unfortunately, there is no “silver bullet” to secure organizations against current and emerging attacks.

Security fundamentals are key: Up-to-date logging that is fit for purpose (are you logging the right fields on the right systems to investigate a breach?); regular staff training and reminders around scams and phishing; deployment of MFA on all internet facing systems and third-party cloud and SaaS providers … the list goes on.

It all really boils down to visibility. Do organizations have the right systems on the endpoints on the network and edge devices to both detect a current anomaly (that may be an attack in progress) but also investigate a historical breach detected?

CybersecAsia: Despite constant reinforcement of cybersecurity guidance and best practices, organizations and businesses are still not taking the necessary protective measures. What in your opinion are some of the main factors behind this resistance?

AT: Honestly, security is hard. I see a lot of “perfection paralysis” with organizations wanting to do everything perfectly and either:

    • Not knowing where to start so they spend their resources trying to figure out a way forward rather than just doing “something” that can improve their security posture and lower their organizational risk
    • Or trying to do everything at once and spinning their wheels in multiple initiatives that somehow lead to very little actual progress being made.

A methodical approach to achieving gradual security posture improvement is much more positive with the occasional leap forward, helpful technology and perhaps the engagement of a third party to do “the heavy lifting” for the IT teams. 

Ultimately, any improvement in security will be helpful and getting the fundamentals right makes a very real difference. You do not have to do it all perfectly in one go, but start by doing something!

CybersecAsia thanks Alex for sharing his insights on infostealers and cyber “perfection paralysis”.