SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Secureworks CTU identifies increase in stolen credential sales
Mon, 5th Dec 2022
FYI, this story is more than a year old

Researchers from the Secureworks Counter Threat Unit (CTU) have identified an increase in the volume of stolen credentials for sale on underground markets, including from personal employee devices that facilitate entry into corporate networks.

Reports have revealed that infostealer malware responsible for harvesting corporate data is becoming a growing threat to enterprises and an ideal tool for cybercriminals. 

CTU researchers have noted that one of the leading forums for stolen credentials recently added a new feature that allows users to preorder stolen credentials with a deposit of just $1000.

They say that this development may lead to increased targeting of specific organisations while also signalling an evolution of the access-for-sale business model as criminals constantly look to maximise the return on investment for their nefarious activities.

In a recent underground forum post, CTU researchers observed threat actors advertising an auction for access to a Fortune 500 company's network via credentials stolen from an employee's personal computer.

The seller was offering the credentials at an opening bid of USD $1,000 and a buyout price ("blitz") of $5,000. 

Data published by the CTU in the 2022 State of the Threat Report also reveals that in a single day in June 2022, one underground forum offered over 2 million logs (collections of stolen data) from infostealers.

Last year, this figure on the same market with respect to the same stealers was 878,429. This is an increase year on year of over 150%. 

By early November 2022, this number had increased from over 2 million to over 4.6 million logs for sale on a single day.

Earlier this year, Secureworks CTU researchers also found new information about the DarkTortilla malware, revealing more about its versatility and scope within the threat landscape.

Another extremely damaging cyber risk, this .NET-based crypter malware has possibly been active since at least August 2015.

Researchers have also been carefully tracking the Chinese threat group BRONZE STARLIGHT, and looking at how the group is using targeted ransomware to initiate complicated attacks across the globe.

The researchers highlighted that the group is likely using ransomware during incidents to destroy evidence, distract investigators and exfiltrate data.

From a technological perspective, Secureworks also recently announced that its extended detection and response (CDR) platform Taegis is widely available in Japan.

"The economics of cybersecurity must change. XDR has the clear advantage over siloed, point cybersecurity solutions, which provide blind spots for threat actors to lurk in," said Wendy Thomas, President and CEO, Secureworks at the time.