The Rise of Infostealers: How Cybercriminals are Exploiting ‘Modern Subscription Services’ to Target Businesses
The cybercrime landscape is constantly evolving, and a new breed of threat actors is emerging, leveraging the rise of modern subscription services to target businesses. Infostealers, malware designed to steal sensitive data from computers and mobile devices, are becoming a growing problem for businesses and individuals alike. This article delves into the rise of infostealers, their increasing sophistication, and the methods employed by cybercriminals to capitalize on this vulnerability.
A Shift from Targeted Attacks
Traditionally, cyberattacks often focused on specific targets, using highly tailored tactics to gain access to valuable information. However, the evolution of infostealers signals a shift towards a more opportunistic approach. As stated by Threat Intelligence Analyst, Ben Gray, "[Organizations have become very good with their security, and people have also gotten more savvy, so they’re not the best targets now, for traditional tailored attacks. So attackers need something that’s less targeted and more based on what they can make use of. Infostealers are modular and often sold on a subscription basis, and that evolution probably aligns with the rise of modern subscription services like video streaming."
The analogy to streaming services is a telling one. Just as consumers subscribe to streaming platforms to access an array of content, cybercriminals are now subscribing to infostealer services that provide them with a constant stream of stolen data.
The Impact of Remote Work
The global shift towards remote work and hybrid work models has inadvertently amplified the effectiveness of infostealers. As employees access work services from personal devices and vice versa, the lines between personal and professional data become blurred. This creates opportunities for infostealers to compromise individuals on their home computers, potentially gaining access to sensitive corporate information due to the user’s simultaneous login to work systems.
Mandiant’s John Carmakal notes, "I started seeing more intrusions of enterprises first starting from compromises of home computers—through phishing of people’s Yahoo accounts, Gmail accounts, and Hotmail accounts that were totally unrelated to any enterprise targeting, but to me look very opportunistic.” This shift reveals how infostealers can circumvent enterprise security measures by targeting personal accounts, offering a backdoor into sensitive corporate information.
The Growing Market for Stolen Data
The ease and efficiency of infostealer services have created a booming market for stolen data. Cybercrime marketplaces, including Telegram, have become hubs for the exchange of stolen credentials.
Victoria Kivilevich, Director of Threat Research at KELA, reveals that criminals can use these platforms to search for domains of potential targets and identify available credentials. "The sale of infostealer data can be considered as the "supply chain" for various types of cyberattacks", including ransomware, business email compromise, and even initial access brokers who further sell the data within the criminal ecosystem.
The Snowflake Example:
Kivilevich’s research reveals the scale of the problem: over 7,000 compromised credentials linked to Snowflake accounts have been shared across cybercrime marketplaces. This specific example highlights the vulnerability of enterprise software services. One criminal boasted access to 41 companies in the education sector, while another claimed to be selling access to US companies with revenue between $50 million and $8 billion.
KELA’s Chief Research Officer, Irina Nesterovsky, states, "This is a real threat." She adds, "Millions of credentials have been collected by infostealing malware in recent years." This underscores the growing urgency for companies and individuals to take proactive measures against the threat posed by infostealers.
Steps for Protection
While the threat landscape seems daunting, there are steps that organizations and individuals can take to mitigate the risks associated with infostealers. John Carmakal emphasizes the need for strong security practices, such as:
- Utilizing antivirus or EDR products to detect malicious activity.
- Enforcing multifactor authentication across all user accounts.
- Discouraging synchronization of passwords between personal and corporate devices.
The Future: A Looming Threat
The success of infostealer operations, particularly those targeting services like Snowflake, has set a dangerous precedent. Carmakal warns that cybercriminals are likely to expand their efforts, focusing on other enterprise software services to gain entry into a wider range of businesses.
"Threat actors will start hunting for infostealer logs, and looking for other SaaS providers, similar to Snowflake, where they log in and steal data, and then extort those companies," he explains.
He further asserts that "There’s no ambiguity about this. There will be more breaches in the coming months," underscoring the urgent need for companies to prioritize proactive security measures to combat the evolving threat of infostealer malware.
Conclusion
The rise of infostealers marks a significant shift in the cybercrime landscape, emphasizing the need for enhanced security practices. The ease of access and affordability of these services have enabled a more widespread and opportunistic approach to data theft. As businesses and individuals continue to rely on online platforms and services, staying vigilant against infostealer threats is paramount. By implementing strong security measures and remaining proactive, organizations can reduce their vulnerability and ensure the safety of their sensitive data.