crop cyber spy typing on computer keyboard while hacking system

The data-stealing spree(Infostealers)

Cybercriminals have been selling hundreds of millions of customer records from big companies like Ticketmaster, Santander Bank. Although data breaches have been common for over a decade, these recent incidents are significant because they are all linked. Each affected company used the cloud data storage service Snowflake and was compromised because attackers had login credentials for their Snowflake accounts. This data-stealing spree has impacted at least 165 Snowflake customers.

The attackers didn’t get these logins by directly breaching Snowflake or through a complex attack. Instead, they found the credentials among stolen data collected randomly by “infostealer” malware.

Infostealers are becoming more common. This type of malware often ends up on people’s computers through downloads of pirated software. It can steal usernames and passwords, cookies, search history, financial information, and more from web browsers. Hackers are increasingly using the data collected by infostealers to compromise companies, and cybersecurity experts warn that more high-profile data breaches are likely.

“We’ve seen nation-states, criminals, and even teenage hacking groups use infostealers,” says Charles Carmakal, chief technology officer of the cybersecurity firm Mandiant, owned by Google. Russian hackers and cybercriminal gangs like Lapsus$ and Scattered Spider are among those using infostealers. Just days after the global CrowdStrike outage, hackers created a new infostealer to take advantage of the situation.

crop hacker typing on laptop with information on screen
Photo by Sora Shimazaki on Pexels.com

Infostealers are defined more by their role in the hacker ecosystem than by their technical abilities. They are spread widely and indiscriminately, grabbing data from the browsers of any infected computer. The attackers then sort through this chaotic mix of data, often on a marketplace or a public forum like a Telegram channel, to find valuable credentials and access tokens.

Some login credentials are especially valuable to cybercriminals. If a data dump includes working login details for a corporate employee’s accounts, a ransomware gang or other criminals could use this access to launch attacks. Infostealer operators maximise the value of the data they collect by making it available on platforms like Genesis Market and Russian Market, which organise the stolen data and make it searchable. This way, hackers looking to target specific organisations can find what they need.

These platforms operate like legitimate information and ecommerce services, often charging subscription fees to access the data. Currently, Russian Market has so much stolen data from infostealers that it charges a low flat rate, typically no more than $10, for any subset of data users want to download.

“Organisations have become very good with their security, and people have also gotten more savvy, so they’re not the best targets now for traditional attacks,” says Ian Gray, director of analysis and research at the security firm Flashpoint. “Attackers need something less targeted and more opportunistic. Infostealers are modular and often sold on a subscription basis, similar to modern subscription services like video streaming.”

Infostealers have been particularly effective with the rise of remote and hybrid work, as companies allow employees to access work services from personal devices and personal accounts from work devices. This creates opportunities for infostealers to compromise individuals on their home computers but still end up with corporate access credentials. It also makes it easier for infostealing malware to bypass corporate protections if employees have their personal email or social media accounts open on work devices.

“I started paying attention to this once it became an enterprise problem,” says Mandiant’s Carmakal. “Around 2020, I saw more intrusions into enterprises starting from compromises of home computers through phishing of people’s personal email accounts, which were unrelated to any enterprise targeting but looked very opportunistic.”

turned on flat screen monitor
Photo by Lewis Kang’ethe Ngugi on Pexels.com

Victoria Kivilevich, director of threat research at security firm KELA, says criminals can use cybercrime markets to search for the domain of potential targets and see if any credentials are available. The sale of infostealer data can be considered the “supply chain” for various types of cyberattacks, including ransomware and business email compromise. Kivilevich says there have been more than 7,000 compromised credentials linked to Snowflake accounts shared on various cybercrime marketplaces and Telegram channels.

“I don’t think there was one company that came to us with zero accounts compromised by infostealer malware,” says Kivilevich, noting that infostealer-related activity increased in 2023. Irina Nesterovsky, KELA’s chief research officer, says millions of credentials have been collected by infostealing malware in recent years. “This is a real threat,” Nesterovsky says.

Carmakal says companies and individuals can protect themselves from infostealers by using antivirus or EDR products to detect malicious activity and enforcing multifactor authentication across users. “We encourage people not to synchronise passwords on their corporate devices with their personal devices,” Carmakal adds.

The success of infostealers means it’s inevitable that cybercriminals will try to replicate compromise sprees like the Snowflake incident and look for other enterprise software services to use as entry points. Carmakal warns that more breaches are likely in the coming months. “There’s no ambiguity about this,” he says. “Threat actors will start hunting for infostealer logs and look for other SaaS providers, similar to Snowflake, where they can log in, steal data, and then extort those companies.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.