One of the latest hot topics on the Darknet comes in the form of stolen cloud credentials. The digital black market for usernames and passwords is growing. Let’s dive into why these credentials are so big on the Darknet, how they end up there, and, most importantly, how we can protect ourselves from falling victim to this shady business.
The Cloud Credential Business
Darknet Markets serve as hubs for cybercriminals. Here, they can sell many fraudulent items, including stolen cloud credentials and similar sensitive information. According to IBM Security X-Force, stolen cloud credentials cost the same price as a dozen doughnuts, which is estimated to be less than $10.
IBM’s X-Force annual 2023 Cloud Threat Landscape Report, a report conducted from June 2022 to June 2023, indicated that more than 35% of cloud security-related incidents in the past year involved the use of valid but compromised credentials by users.
In 2020, the pandemic resulted in thousands of companies migrating to cloud infrastructure in order to accommodate work-from-home shifts. However, companies failed to employ cloud-based security infrastructure.
Most organizations use more than one cloud, which makes it even more valuable for cybercriminals with access to a user’s credentials. According to IBM’s X-Force threat Intel team, stolen cloud credentials make up around 90% of assets for sale on the dark web marketplace. Here are a few recent examples.
- In August 2021, T-Mobile suffered a data breach that resulted in tens of millions of its former, current, and prospective customers’ information being sold on the dark web.
T-Mobile’s data breach was the fifth incident the company had experienced since 2018. Hackers gained access to customer’s names, Social Security numbers, and driver’s license details. Some real valuable stuff to particular groups of people.
- On September 7th 2023, Caesars Entertainment, which owns more than 50 resorts and casinos in the U.S., confirmed its customer database was breached by cybercriminals. The casino giant’s IT support vendor was targeted, and cybercriminals gained access to its loyalty program database.
Caesars Entertainment paid a ransom to cybercriminals to avoid leaking its customer database across the internet. The casino’s loyalty program database, which contained customers’ driver’s license and social security numbers, were breached in the attack.
Caesars later filed a K-8 form with the SEC, which stated that,
“We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files acquired by the unauthorized actor”.
- In the most recent incident, Dymocks confirmed that contact details from 1.24 million of its customers were shared over the dark web, during a data breach. In an email sent to its customers on Friday September 15th, Dymock confirmed that its customer database was breached and shared over the dark web.
Cybercriminals accessed the names, date of birth, email addresses, postal addresses, gender, and membership status of Dymocks customers. Dymocks CEO Mark Newman confirmed that no personal information, such as driver’s license, or highly sensitive information, was accessed through the breach.
How do Dark Web Leaks Take Place?
Cybercriminals use several tactics to access cloud credentials of users. Stolen credentials are often obtained through malicious tactics like malware attacks, spear phishing, social engineering, or brute force attacks to access cloud resources and obtain user information.
One of the most common methods that cybercriminals use to access credentials is through data breaches. A data breach occurs when an unauthorized individual/ hacker accesses a company’s protected cloud network and exports personal information or sensitive data.
Who Buys Stolen Credentials and Why?
There are over 15 billion stolen credentials circulating on the dark web. In the past three years, stolen credentials have skyrocketed in demand. This is due to the key role that credentials serve for cybercriminals. They’re one of the largest money-making fields on the Tor Browser.
Stolen credentials can provide criminals with access to sensitive information, such as social security numbers, driver’s license numbers, financial data, and confidential business secrets. This stolen information is typically used by criminals for identity theft, fraud, or to hold a company ransom.
Unlike most types of stolen data, compromised credentials possess a long-term value on the darknet marketplace. Companies and individuals often use a standardized password across multiple platforms and accounts. This means that attackers will have access to several of the company’s accounts.
Cryptocurrency mining is a profit-driven and exhaustive activity that requires large amounts of computing power, which Google Cloud owners are able to access at a premium. As such, Google has warned its users that crypto miners are using compromised Google Cloud accounts for crypto mining purposes.
The search engine’s cybersecurity team compiled the “Threat Horizon” report, which aims to provide intelligence for organizations to secure their cloud infrastructure. In the report, Google concluded that 86% of 50 compromised Google Cloud accounts had been used for crypto mining.
Google’s cybersecurity team found that in the majority of cases, crypto miners were able to download crypto mining software within 22 seconds of the cloud account being compromised. Around 10% of the remaining compromised clouds were used to conduct scams.
Google’s cybersecurity team concluded that cybercriminals were able to access Google Cloud accounts by taking advantage of poor customer security practices. Poor customer security practices included the use of weak passwords or no passwords at all, which meant Google Cloud accounts could easily be brute-forced.
IBM’s X-Force Head of Research, John Dwyer, reiterated Google’s cybersecurity finds and further highlighted the recent trend of cryptominers using compromised data for illicit mining activities through cloud resources. Dwyer claimed that cryptominers are able to repeatedly gain access to cloud accounts and use more information than needed.
“We’ve seen over the last three years additional investment into endpoint security. Our clients got better at detecting back doors, which are directly related to extortion-based attacks. So what has been interesting to see is the criminal ecosystem move to credentials as an access vector to continue these criminal operations.
While other companies were quick to adopt cloud infrastructure, we haven’t seen the same sort of adoption with a cloud-specific security posture. Criminals are very observant as to where they are able to gain access, and that is often through cloud because of rapid expansion and complexity.”IBM’s X-Force Head of Research, John Dwyer
However, it would be silly to assume that credentials are only sold on the dark web for crypto mining. Compromised credentials are merely the key to unlocking the doorway into a company’s or an individual’s home which can lead to identity theft, social media spam, and financial loss.
The majority of compromised Cloud credentials are sold at various dark web marketplaces, where cryptocurrencies such as Bitcoin and Monero are used to trade. Genesis Market was the leading dark web marketplace for stolen credentials, cookies, and digital fingerprints. They were taken down, and ten more followed!
Ways to prevent Cloud credentials from being compromised over DarkNet
Whether it be poor passwords or human error, there’s always a need for companies to employ some form of Cloud infrastructure security. One of the most effective ways to prevent credential theft is to use strong authentication methods.
A password and username just don’t cut it anymore; companies are required to use multi-factor authentication (MFA) or single sign-on (SSO) authentication methods. These methods make it harder for hackers to infiltrate and bypass the login process, adding an extra layer of security.
By monitoring and auditing your cloud security on a regular basis, you’ll be able to detect any breaches. In addition, encrypting data on the cloud will ensure that the information is unreadable for anyone who lacks the credentials or key to unlock it. We wrote an article on Darknet Monitoring if you need help.