The Secureworks Counter Threat Unit (CTU) has revealed a significant surge in stolen logs on online marketplace Russian Market, experiencing a 670% increase.
Described in a report called “The Growing Threat From Infostealers,” the new findings shed light on the thriving infostealer market, which plays a pivotal role in facilitating cybercrime activities such as ransomware attacks.
“Infostealers are a natural choice for cybercriminals [...] looking to rapidly gain access to businesses and then monetize that access,” commented Don Smith, VP of Secureworks CTU. “They are readily available for purchase, and within as little as 60 seconds generate an immediate result in the form of stolen credentials and other sensitive information.”
As infostealer malware remains readily available and cybercriminals employ increasingly sophisticated methods to deceive users, Secureworks explained, detecting and removing these threats becomes even more daunting for victims.
“What has really changed the game, as far as infostealers are concerned, is improvements in the various ways that criminals use to trick users into installing them, such as fake messaging apps and cloned websites,” Smith added.
“That, coupled with the development of dedicated marketplaces for the sale and purchase of this stolen data, makes it even harder for victims to detect and remove infostealer.”
The Secureworks’ report also shows that in less than nine months, the logs for sale on Russian Market surged by 150%, reaching more than five million in late February 2023 from two million in June 2022. This represents a growth rate of 670% within approximately two years.
“What we are seeing is an entire underground economy and supporting infrastructure built around infostealers, making it not only possible but also potentially lucrative for relatively low-skilled threat actors to get involved,” Smith added.
Law enforcement actions against Genesis Market and Raid Forums have prompted a shift in log trading to dedicated Telegram channels, Secureworks observed. At the same time, Genesis Market’s Tor site remains operational despite arrests and domain takedowns.
Moreover, there is a growing market for after-action tools that aid in log parsing, catering to the increasing demand as the availability of infostealers and logs expands.
“Ensuring that you implement multi-factor authentication to minimize the damage caused by the theft of credentials, being careful about who can install third-party software and where it is downloaded from, and implementing comprehensive monitoring across host, network and cloud are all key aspects of a successful defense against the threat of infostealers,” Smith concluded.