Escalation of Information Stealer Capabilities Targeting Valid Accounts Increases Risk Into 2023

New and Noteworthy: Escalation of Information Stealer Capabilities Targeting Valid Accounts Increases Risk Into 2023

Information Stealing Malware Shows a Strong Trend Toward Targeting Account Information That Can be Deployed in Future Targeted Cyberattacks.

Information-stealing malware includes bots and trojans deployed for the purpose of exfiltrating account information. While this cyberattack activity is at times targeted, most threat actors vacuum up whatever their malware can successfully target. It remains the job of other threat actors to purchase access to the stolen information and dig through it to find potential account information of particular use in further cyberattacks with different objectives. A secondary cyberattack that uses information gleaned from an earlier initial attack may then go on to steal further information from the same victim that can be used in a tertiary attack – perhaps the 3rd round attack involves ransomware or perhaps threat actors pivot to compromise individual victim banking accounts using information stolen from an employer.  The effect of this data capture and reuse is cyberattacks on more types of accounts (e.g. banking, social media, gaming applications, private databases, email credentials, etc), which, in turn, exposes more business verticals to risk. Although EclecticIQ analysts have observed this threat before, different aspects of the threat landscape are now reinforcing previous patterns of operation and networking to a point where heightened consideration is warranted for information stealers, which may historically be a deprioritized threat.

Threat Actor Groups Increasing Specialization Create Demand For Pieces of Data That Promote Further Successful Cyberattacks.  

Opensource threat intelligence indicates a growing demand for valid account information (credentials and tokens). (1, 2) Account information, especially full username and password credentials, are of high value because they provide initial access for other threat actors. The time/value tradeoff is significant enough that more groups of threat actors exclusively focus on stealing credentials and session tokens, which enable further future cyberattacks that use stolen credentials for access to the targeted network.  

The Success of Credentials for Initial Access Increases Market Demand for Valid Stolen Credentials and Access Tokens.  

Data breaches are often productive to other threat actors for the myriad account and credential information they typically contain. (3) Account information harvesters are also commonly sourced from off-the-shelf malware, (malware-as-a-service) that are both relatively common (high-volume) and are being tuned to focus on account and credential theft. (4, 5) This, in turn, drives an underground market that thrives, (6) which then further incentivizes threat actors and their malware at the top of the cycle, sometimes to form unique relationships that can be more effective at generating profit. (7, 8)

A Large Portion of Credential Compromise Cyberattacks Likely Fails to Correct the Compromised Account in Time to Prevent the Follow-Up Cyberattack.

Account compromise is unlikely to create immediate effects. In the currently evolving cyberattack ecosystem, the impact often isn’t felt until a further cyberattack uses the stolen credentials to gain access to the network and conduct a more disruptive attack on the organization. In the case of the Uber cyberattack earlier this year, a statement from GroupIB indicates the Lapsus$ hackers possibly used previously stolen credentials to breach the internal network and cause widespread embarrassment. (9, 10)

Organizations Should Place Increased Focus on Account Management and Monitoring.

NIST’s current recommendations are against frequent password resets. (11) This is possibly exacerbating credential and account targeting. If credentials are not changed frequently, threat actors are very likely to receive increased utility.

It remains paramount to adopt capabilities to monitor for anomalous logins and to implement layered security practices that mitigate compromise in the event of a threat actor successfully exploiting T1078 (Valid Accounts). These capabilities will help to greatly reduce potential risk from network compromise stemming from this increasingly popular type of initial access. 

About EclecticIQ Intelligence and Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

Please refer to our support page for guidance on how to access the feeds.

You might also be interested in:

Ukraine-Russia Conflict: Ukraine Alerts Energy Enterprises to Possible Cyberattack Escalation

Australia Seeks to Disrupt & Stop Cybercriminal Syndicates with New Task Force

Investigating NATO-Themed Phishing Lures With EclecticIQ Intelligence Center and Endpoint Response Tool

Appendix

1. https://www.darkreading.com/threat-intelligence/infostealer-malware-market-booms-mfa-fatigue
2. https://www.group-ib.com/media-center/press-releases/professional-stealers/
3. https://thehackernews.com/2022/12/lastpass-suffers-another-security.html
4. https://labs.withsecure.com/publications/ducktail-returns
5. https://www.mandiant.com/resources/blog/a-nasty-trick-from-credential-theft-malware-to-business-disruption
6. https://academic.oup.com/bjc/article-abstract/62/6/1518/6503727/
7. https://www.mandiant.com/resources/blog/a-nasty-trick-from-credential-theft-malware-to-business-disruption
8. https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d
9. https://thehackernews.com/2022/09/uber-claims-no-sensitive-data-exposed.html
10. https://threadreaderapp.com/thread/1570821174736850945.html
11. https://cloudinfrastructureservices.co.uk/nist-password-guidelines-requirements-best-practices/