For example, in September, Uber revealed that an attacker compromised an Uber EXT contractor’s account and gained access to the network. On September 19, 2022, Uber released an update that the account, and likely others, were captured by when a stealer malware infected the contractor’s device and extracted credentials.
Stealer logs are several account and credential data types we frequently observe in the underground. In this article, we are going to make sense of them.
Stealer logs--credential data produced by stealer malware--are a common form of compromised data found in the cyber underground. Marketplaces and forum threads are dedicated to selling and distributing these logs for threat actors to gain initial access to an organization’s network quickly.
One can find evidence of these anywhere, including Telegram, forums, file-sharing sites, and marketplaces (Figure 1).
Figure 1. Forum stealer logs (left), Market stealer logs (right)
There are a variety of stealers, malicious programs designed to collect login credentials from a victim’s browser once infected, for sale, and freely available in the underground. Racoon Stealer, Redline Stealer, Azorult are some of the most common stealers Many threat actors add their flavors to the stealers with different features. For example, the following version of the Rootfinder Stealer is a variant of the Redline and Typhoon Stealer shared by a threat actor on an underground forum (Figure 2).
Figure 2. Rootfinder stealer and its features
The stealer logs often come as a zip file with folders and txt files containing passwords, cookies, target machine information, and sometimes payment information. Here is an example of one I purchased last year and presented at my threat-hunting workshops (Figure 3).
Figure 3. Redline Stealer log containing username and password to a safemail account
Leaked credentials make their way to the underground in many forms. In its simplest form, leaked credentials are a combination of usernames and passwords distributed by threat actors for others to use in an attack. Threat actors collect these in many ways. The most common method used to reveal credentials is through credential stuffing attacks. Attackers also use tools like OpenBullet, which can provide higher confidence that the credentials are valid, and “combos” derived from third-party breaches and phishing attacks. Additionally, credentials are often dumped in large quantities, while compromised accounts are commonly sold individually.
Cybersixgill often observes and collects leaked credentials through text or CSV files uploaded to file-hosting sites like Anonfiles, plain text lists shared in forum posts, large dumps on Pastebin, and through Telegram chat messages. Some of these dumps of credentials are simply formatted in username:password (for example, firstname.lastname@example.org:myDictionaryPassword) (Figure 4).
Figure 4. Combo list shared in Telegram group.
In many cases, leaked credentials dumped underground have not been validated by the publishing threat actor. Therefore, others looking to engage in some attacks must go through trial and error when taking over these accounts. However, they can automate login attempts with credential-stuffing tools known on the underground as checkers. At a minimum, though, they at least have emails they can target with phishing attacks.
Unlike leaked credentials, accounts in underground slang denote verified access to bank accounts, systems and networks, emails, and more. These are often listed for sale as the seller has confirmed access to the account and has conducted some checks into the types of privileges the account might have in a network or that the account has available funds or rewards for cashout or fraudulent transactions. The type of account for sale typically impacts the cost to the potential buyer. For example, a consumer’s Netflix account would be cheaper than a domain admin account to an internal network.
The following example shows a threat actor on a hacking forum selling shell access to Iraq’s government network (Figure 5).
Figure 5. Shell access of domain admin account to Iraq’s government network
The following image also shows a forum post by a threat actor sharing a verified bank account, including email, password, name, address, card number, PIN, and more (Figure 6).
Figure 6. Verified bank account shared to an underground forum
With so many different types of data dumps making their way to the underground, hopefully, you can quickly distinguish between logs, credentials, and accounts and how it impacts your security. Whatever the case, Cybersixgill continuously collects all types of leaked data to provide the earliest indication of risk to your organization.
Cybersixgill can help you assess, measure, prioritize, and address emerging threats.