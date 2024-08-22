In their whitepaper entitled “Stealers are Organisation Killers,” Uptycs reveals that incidents involving information stealers (infostealers or stealers) have more than doubled in 2023. Flashpoint, which has been monitoring the sale and utilisation of stealers for the past seven years, also reports a significant increase in their popularity. Stealers are a form of malicious software designed to covertly gather sensitive information from compromised systems. Although most infected systems are personal computers, cybercriminals are now increasingly targeting corporate devices. Companies are particularly vulnerable with the rise of “bring your own device” (BYOD) policies, alongside employees using work devices for personal activities, further blurring the boundaries between personal and professional use. A compromised device can easily lead to the infiltration of corporate accounts and sensitive data, resulting in financial, reputational, and operational damage. The data collected by criminals through these attacks often exceeds terabytes, fuelling a growing market for the buying and selling of stolen data—commonly referred to as the “Cloud of Logs.” This underground market not only harms users whose credentials are stolen and sold; it also places their organisations at risk, as they have less time to detect and respond to attacks when facilitated by legitimate data acquired from these markets. This article explores how cybercriminals exploit these tools for profit and what business managers can do to safeguard their organisations.

What Are Stealers?



A stealer is a type of Trojan horse. A Trojan is a malicious software, or malware, that disguises itself as a legitimate or harmless program or file to deceive users into installing it so it can perform a variety of harmful activities, depending on its program. More specifically, stealers’ sole purpose is to gather and collect sensitive information from a system, such as login credentials, financial information, and other valuable data, and send it back to the attacker.

The most common type of stealer targets credentials, like usernames and passwords, stored in web browsers, email clients, online banking services, and FTP programs. These are known as password stealers. Another type, called keyloggers, tracks everything you type, potentially revealing sensitive information. Information stealers, however, have a broader scope. They can capture not just credentials, but also browsing history, autofill data, cookies, credit card details, cryptocurrency wallet keys, personal documents, and more.

Stealers can infiltrate your systems via a variety of ways. It can be disguised in phishing emails as a malicious link you click or an email attachment that you download on your device, in pirated software, compromised websites, or even malicious ads. All these social engineering techniques are necessary since the stealer cannot be executed remotely and require you to initiate the infection in one way or the other.

Once installed on a victim’s system, an information stealer can use different methods to collect the targeted data: keystroke logging, clipboard monitoring, capturing screenshots, grabbing files from specific paths, or extracting data from web browsers and email clients. The stolen information is then typically transmitted back to the attacker’s server, by email or via the network, or stored locally to be retrieved at a later date.

Information-stealing malware is quickly becoming one of the top methods for initiating ransomware attacks and other major data breaches because it often captures credentials that serve as gateways for further cyberattacks, thanks to its automated processes and the ability to collect and transmit massive amounts of data.



Understanding Cloud Logs & Their Security Risks



This is where Cloud Logs come into play. They provide cybercriminals a way to store, organize, and potentially profit from the vast amounts of data they’ve stolen with the help of stealers. All the stolen data is stored in files on a cloud platform, labeled and categorized based on the country where the data is sourced, the type of data, whether it’s been pre processed or even sorted according to possible monetization schemes. Cybercriminals can then sell access to these searchable files to other malicious actors, making it easy for them to acquire the logs they need for their attacks without having to gather the data themselves, saving them time and effort.

These datasets can contain a variety of logs, such as Personally Identifiable Information (PII), credit card information, bank details, and account credentials used to access online portals and cloud-based services, but also sensitive files like scans of documents, tax reports and invoices. Additionally, information sold by these criminals might include recorded keystrokes, authenticated session attributes, browsing history, cookies, user credentials, authentication tokens. They might even sell details about the victim’s environment that can be used to bypass fraud detection, such as by replicating the software setup of the victim’s machine.

There are many benefits to acquiring these searchable, formatted and organized logs from the cloud, for a cybercriminal. For example, using cloud-based tools and databases allows them to tap into additional computing power, storage, and bandwidth, not only making their activities more efficient, but also giving them the ability to scale up their operations. Plus, with so much stolen information available on these platforms, criminals can just search for what they need to perform their attack more quickly. They no longer have to waste time gathering the data themselves anymore.

These attacks are especially dangerous because criminals can launch them so quickly using stolen data, leaving organizations with very little time to detect and respond. By the time a security breach is spotted, the attackers may have already used the stolen information to access other parts of the network. Even worse, organizations might not even realize they’ve been breached because criminals can use legitimate account credentials and mimic the victim’s system environment to slip past security unnoticed.

Criminals using cloud logs to optimize their attacks don’t just put the users with stolen credentials at risk—they also endanger the organizations those users belong to. By reusing stolen credentials, these criminals can potentially infiltrate the entire IT systems of those organizations. As the business of selling access to cloud logs grows, organizations face an increased risk of intrusions and compromise attempts. This is a big concern because attackers now have a wide range of stolen data to choose from, making it easier for them to launch further attacks.



How Cybercriminals Monetize Stolen Data and Cloud Logs



How the attacker exploits or monetizes the data depends on the attacker’s specialization, skill set and goal. When operators rent out their logs to a diverse group of cybercriminals, each with their own specialty, it greatly increases the chances that the stolen data will be used in all sorts of malicious ways.



1. Selling The Data On Dark Web Forums



As mentioned previously, stealers have helped many cybercriminals with their attacks, but some criminal groups are sitting on such vast amounts of valuable data that they likely can’t fully exploit its potential. In fact, most cybercriminals spreading information stealer malware on a large scale don’t actually use all the stolen data themselves. Instead, they sell this sensitive information on dark web markets and specialized forums.

The price to access these datasets varies depending on the type of data, the size, the subscription model (limited access and download or monthly subscription), and whether the logs have been previously exploited, which lowers their value.

Packages with limited access and downloads usually go for a few hundred dollars. There are also monthly subscriptions available, with prices ranging from US$300 to US$1,000. In one case, TrendMicro came across an ad for a service that promises updates with 20,000 to 30,000 new logs every one to two weeks. A monthly subscription for that service costs US$1,000 and a six-month subscription is US$5,000, while another ad from a different seller offered a lifetime membership for US$900. These varying price points reflect the high demand and just how profitable the market for stolen data has become.



2. Selling The Stealer As A Service



Another way for cybercriminals to profit from stealers is to sell custom stealers or stealer builders. Custom stealers sold by Stealer-as-a-Service (StaaS) providers can be designed to harvest specific types of information, like credentials for specific online services or financial data.

In most cases, malicious developers use programming languages like C, C++, or GoLang to create stealers with various features. These features often include support for credential harvesting in popular browsers, web plugins, desktop wallets (for cryptocurrency) and messenger or email clients such as Telegram, Discord, Tox, Pidgin, Microsoft Outlook, Thunderbird, and even Steam sessions for accessing gaming services.

They then advertise these tools on specialized cybercrime forums, with a price depending on the features available or the stealer's detection ratio. Indeed, the developer sometimes provides proof that their builder won't get detected by antivirus softwares. A basic stealer can normally be purchased for under US$200, but a more professional one can be found sold for US$500, and even for twice that amount for a "corporate version".

This thriving marketplace allows cybercriminals to easily access tailored tools for highly targeted attacks, making stealers not just a tool for data theft, but a lucrative business in their own right.



3. Identity Theft And Fraud



In recent years, stealing user credentials has become more common , with attackers gathering huge amounts of login details, along with associated email addresses or domain names. For instance, attackers often target credentials for popular services like eBay, PayPal, Amazon, Qiwi, or cryptocurrency wallets.

Access to these accounts allows them to steal money and quickly execute a variety of scams. This includes identity theft to apply for credit cards or loans, creating fake accounts and identities to sell to other criminals, and committing financial fraud, like making unauthorized purchases or even transferring funds into their own accounts.

In their report, Flare.io found that stealer logs that give access to financial services accounts, like banking and retirement portals, were priced much higher on Genesis Market compared to logs for consumer apps. On average, logs tied to financial services went for $112, while the average price for all logs was just $15. These logs include credentials for top retail banks, which cybercriminals can use to directly steal or spend money from users' accounts.

This explains why these types of stolen credentials are in such high demand—they’re not just easier to monetize, but they also can be sold at a much higher price on the black market.



4. Ransomware Attacks



Attackers looking for bigger targets might use stolen credentials to break into the IT systems of the organizations those employees work for, encrypt important data, and then demand a ransom to unlock it. Data from stealers and cloud logs indeed gives cybercriminals everything they need to pull off a successful ransomware attack. To make things worse, they might threaten to leak sensitive information if the company doesn’t pay up. This makes ransomware attacks especially damaging and hard for companies to ignore.

The Uptycs threat intel team discovered a new ransomware-as-a-service (RaaS) provider during their dark web investigations. They found that this provider, called Cyclops, not only offers ransomware services but also includes a separate tool specifically for stealing data.

Lapsu$—a group that became infamous for leaking data from major companies like Microsoft and Samsung—has been actively using ransomware tactics to extort money from their targets. After gaining initial access through social engineering, Lapsu$ members deploy stealers to extract valuable data, often from platforms like Azure cloud.

Once they have the data, they threaten the company with a ransom demand, making it clear that if payment isn't made, the stolen information will be leaked. Notable victims of these attacks include major organizations like Uber, showing the group's wide reach and the severe impact of their ransomware strategies.

Another example is the private ransomware called Radar has reportedly hit multiple victims and leaked their data on the dark web. Built using leaked source code from LockBit ransomware v2, Radar Locker buys stealer logs to break into targets and then demands a ransom.

These examples show how ransomware attacks can quickly escalate when cybercriminals leverage stealers and cloud logs to access sensitive data, turning it into a profitable business.



5. Corporate Espionage



With ransomware being just one way cybercriminals exploit stolen data, it’s important to also consider how this information can be used for more targeted and insidious purposes, like corporate espionage.

In these cases, malicious actors or competitors use the stolen information to gain an unfair advantage or to actively undermine a company. This can involve stealing trade secrets, intellectual property, or sensitive business strategies that give the attacker insight into a company’s operations.

A recent report from Flare.io reveals that information stealers are making their way into corporate environments more often, likely due to the growing overlap between personal and work devices. The report uncovered around 400,000 employee logins being sold on dark web sites and shady Telegram channels.

Lapsu$ also engages in activities that border on corporate espionage. The group has been sharing the results of its attacks on platforms like Telegram, where they've posted sensitive data such as Nvidia employee credentials, Samsung's source code, and even Okta customer data. By leaking critical information like parts of Microsoft's Cortana and Bing source code, Lapsu$ not only extorts companies but also weakens their competitive edge.

This kind of data breach is a prime example of how stolen information can be weaponized to weaken a company’s market position, give competitors an unfair advantage and potentially put its future at risk.



Reputation Damage and Operational Disruption



The rise of infostealers has significantly increased risks for businesses, especially with the blurred lines between personal and corporate data in today’s remote and hybrid work environments. This overlap makes it easier for infostealing malware to bypass corporate defenses, even on enterprise devices.

According to Flare.io’s research , out of the millions of stealer logs analyzed, a significant number contain credentials for key business applications like Salesforce, Hubspot, AWS, and DocuSign. These aren’t just any credentials; they are the keys to the kingdom. Threat actors highly value corporate credentials and often sell them on dark web forums, where they are then used to gain initial access to organizations, steal more data, and sometimes even hold that data for ransom.

The consequences of breaches like those carried out by Lapsu$ extend far beyond the immediate theft of data or financial loss. When sensitive information such as intellectual property, customer data, or source code is leaked, it can severely damage a company’s reputation and disrupt its operations.

These disruptions often include compromised services, corrupted data, and costly security fixes, leading to a significant loss of customer trust and brand damage. In some cases, attackers may even lock companies out of their own systems, halting operations and causing long-term financial losses. The ripple effects of such incidents can jeopardize a company’s market position and long-term viability.

In short, the impact of infostealers and stolen data on businesses is profound. It’s not just about losing a few passwords—it’s about the potential for serious reputational harm and operational chaos. And as cybercriminals continue to refine their tactics, the stakes for businesses will only get higher.



Protect Your Business From Cloud Log Exploitation



If you suspect your computer is infected with an infostealer, start with a full system scan using trusted anti-malware tools to detect and remove any malicious software. However, simply removing the malware isn’t enough—you should change all your passwords right away to prevent cybercriminals from using stolen credentials. Using multi-factor authentication (MFA) adds an extra layer of security, making it much harder for attackers to gain access, even if they steal your passwords.

To protect your business, it’s essential to implement strong security configurations for your cloud storage systems, ensuring they are securely set up to prevent open access vulnerabilities. Additionally, applying the principle of least privilege—restricting user access to only the data and systems they need—can reduce the risk of unauthorized access to critical areas.

Setting up a secure configuration of your network infrastructure devices, such as routers, switches, and firewalls, is another important step. This includes setting strong password policies, access controls, and network segmentation to ensure your systems are secure from potential threats.

Regular security audits and continuous monitoring are also vital. These practices help you quickly detect and respond to potential threats before they cause serious damage. Advanced security tools that automatically detect and remediate high-risk issues, such as open storage access or data exfiltration, can keep you ahead of cybercriminals.

Employee training and awareness are key components of your security strategy. Since employees are often the first line of defense, it’s important to train them to recognize phishing attempts and other social engineering tactics necessary to deploy stealers.

Lastly, having a robust incident response plan is essential. This plan should outline the steps to take if an attack occurs, helping you contain and mitigate damage quickly and effectively. Being prepared can make all the difference in minimizing the impact of a breach.



Conclusion



It’s evident that stealers and cloud logs have converged and fueled a growing underground market for selling stolen data. However, because the criminals buying this data have different specialties, there are many other ways they can profit, including selling custom stealers, using the data to commit identity theft and fraud, launching ransomware attacks, or even engaging in corporate espionage.

Infostealers are especially dangerous because they’re widely available, relatively affordable and easy to use. Unlike other cyber threats, you don’t need a lot of technical skill or knowledge to deploy them, making them accessible to almost anyone. This accessibility significantly increases the risk they pose as it also enables a new type of cybercriminals who won’t directly compromise victims but will instead act as key middlemen, using their data mining skills to provide valuable raw data for others to refine and profit from

2019 report showed that 80% of hacking-related breaches were due to compromised, weak, or reused passwords. With the market for stolen data booming since 2023, cybercriminals are finding new ways to profit from the various types of data they steal or buy. We also expect that cybercriminals will start creating tools using machine learning (AI) to speed up how they extract and analyze data. This means organizations could face even more intrusion and compromise attempts, bigger financial losses, incredible reputational damage, and unprecedented operational disruption.

We hope this sheds light on how cybercriminals are evolving and finding new ways to profit from stolen data. Business managers should take proactive steps to protect their organizations, such as implementing strong security configurations, using multi-factor authentication, and regularly monitoring their systems and training employees on security best practices.