Attackers are using the cloud, too. Here’s what you need to know.
There’s a lot of buzz around the cloud, and the attention is deserved. Leveraging the cloud can optimize resources, save time, increase automation, and take some of the security responsibility out of your hands.
Did you know criminals have caught on, too?
Cloud-based storage of stolen credentials and user information are rented out on a subscription or one-off basis. In a sample dataset of 1,000 logs, we identified a total of 67,712 URLs for compromised accounts. Access to these so called “Cloud of Logs” can be purchased for a monthly fee between $350-$1000 and can include thousands or millions of emails and passwords to popular sites like Google, Amazon, Twitter, Facebook and PayPal.
See our full research on this new market here: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cybercriminal-cloud-of-logs-the-emerging-underground-business-of-selling-access-to-stolen-data.
Stolen credentials lead to compromised businesses, and the cloud is making that process more effective than ever.
You may be thinking, “My company is 100% on-prem, so this doesn’t apply to me.” Or, “This is all personal information, not business data that could be used against us.”
Unfortunately, a false since of security only helps these criminals succeed. Because this isn’t about criminals attacking business cloud infrastructure. It’s about criminals using cloud technology themselves to improve and scale their operations. And credential reuse is a common problem that any business can suffer from, which makes employee personal data important to consider in a business risk assessment.
A new cybercrime market is born
Credential theft has been on the rise within recent years, as attackers collect massive amounts of credential pairs and associated email addresses or domain names. This is one of the most basic and longstanding threats to businesses globally.
While preparing for the latest threat type with the shiniest new tech is appealing, a vast majority of attacks today take advantage of the most basic security weaknesses. Password reuse is one of the most common.
Someone in your organization has reused a personal account password as their corporate domain password. And the credentials for that personal account can end up in these cloud-based logs to be used and reused by other criminals.
In fact, looking at just six of the identified cloud of logs vendors, we saw a total of 5TB of logs, which represents millions of compromised users’ personal data.
So how is the cloud used to optimize this age-old process?
Here is a general outline of the “traditional” flow of cybercrime via credential theft:
1. Criminal group compromises victims via a variety of means and deploy info-stealing malware to harvest their account data. This includes consumer and enterprise accounts, but due to password reuse any compromised personal account can still put the enterprise at risk.
2. Criminal group exfiltrates these accounts to a central location – a server under the group’s control.
3. Given the volume, manual processing is impossible – so they would run some simple searches over the data for the top selling accounts and data (credit cards, email, Netflix, etc). For each of these topical searches, the group would manually look over the lists and see which of these accounts might give them greater access to a high value target. This is time intensive when you consider 10s of thousands of logs and a team of maybe half a dozen people who have other roles in the group as well – so the process can take from days to weeks.
4. For the accounts not used, these would be bundled and offered for sale on underground marketplaces. As an analogy these are the “prime cuts” that always sell well and are easy to process – but there is a lot more meat on the bone. The time before they appear for sale would not be more than a few weeks as the data goes “stale” over time.
5. The rest of the data is largely discarded – despite having value to the right buyer, though it’s hard to know who that is. This is like throwing away the rest of the meat not knowing that a particular cut is a delicacy for one region that could have sold for more than the prime cuts combined.
6. Group breaches new victims and the cycle continues.
The new flow begins as before, with some tweaks and additions:
2. Group now briefly exfiltrates the logs to a central server and takes their personal cuts, but then immediately uploads the rest to a “Cloud of Logs.” The profitability of the Cloud of Logs, and predictable monthly fee model (that works so well for streaming services) mean it’s in their best interest for this to be their primary source of income. This reduces the time from initial compromise to it being available for sale from a few weeks to days or hours.
3. Instead of 1 group picking over the data, there will be as many groups as the Cloud of Logs platform allows (normally they are restricted to a cap). In our analogy – how much meat is left on a carcass after prime cuts are removed vs several dozen vultures?
4. In this scenario that rare delicacy of data that is the most impactful of all will not be missed. It will be found by groups looking for that precise sort of target within about 1 day of compromise – rather than the weeks observed before, or possibly discarded altogether.
5. End Result: Not only are MORE of the accounts now monetised than in the past, but the time from initial data theft to it being reused against an enterprise has shrank from a few weeks to days or even hours. Given that most breaches are not discovered immediately - often by the time the initial breach has been found, another set of attackers has already leveraged it to access the network. And that is only if the initial compromise was a corporate account or from a corporate machine – an enterprise has no way to know if an employee’s personal machine is compromised, and that info is reused to target their work machine.
The anecdotal vultures are picking apart stolen data to fit exactly their needs – whether that’s getting a foot in the door of a corporate server, as we explained here, or they’re looking for targets for a social engineering scheme, BEC scam, or ransomware attack.
Whatever the end goal, they are using cloud resources to make it faster and more widespread than ever.
A new class of cybercriminal is emerging along with a new market for cybercrime.
With this new business structure, data is king now more than ever before. Criminal businesses will need data mining specialists to reap the greatest possible return on each terabyte of stolen data.
This role in the cybercriminal organization won’t be stealing credentials or monetizing them, but rather this person will sit in the middle of the organization separating the cuts of meat, if you will.
An ideal candidate in this new cloud-driven business model will leverage machine learning to efficiently identify and bundle every data type that will be attractive to different buyers.
Data analysts and machine learning experts are a hot commodity in the business world, as are cloud architects and engineers. It’s not surprising that cybercriminals also value this expertise.
What does this mean for protecting my organizations?
Since criminals can execute their attacks in a much more effective way, they can also target a larger number of organizations, potentially leading to an increase in overall attacks. The stolen information will be used in more effective ways, as cybercriminals gain a way of swiftly searching through stolen data to find information they need.
The criminal potential of the stolen data is used to the fullest extent, because the information is distributed among different cybercriminals specializing in different crimes: Some are good at stealing bitcoins, others are professional at defrauding online shopping sites, BEC, ransomware, phishing, etc.
Cloud technologies are commonly designed to scale business to be more agile and cost-effective – generally helping a business reach its full potential. Criminal cloud-based logs do the same.
For the defending organization, the time gap from when information is stolen to the time when it will be used in an attack is much shorter. Organizations now have much less time to detect and respond to the incident of credentials theft. This will be expounded as the business model matures.
Organizations must strengthen the foundation of their security posture to identify breaches quickly. Educating employees on the basics of cybersecurity is also important. Focus education efforts on why it matters to them and how their diligence can help protect the company.
The risks facing organizations haven’t necessarily changed, but the stakes are being raised. As criminals accelerate attacks and expand their capabilities, businesses need a solid security strategy to stay a step ahead.