These platforms have taken design and marketing cues from legitimate information and e-commerce services. Many marketplaces and forums charge a subscription fee for access to the platform, with different pricing structures depending on the value of the data. Currently, the Russian market has a huge amount of data stolen from infostealers, and charges a low flat fee, usually less than $10, for each subset of data users want to download, Gray said.
“Organizations have become so security conscious and people so savvy that they are no longer the best targets for traditional tailored attacks,” Gray said. “As a result, attackers need something less targeted and more based on what’s available. Infostealers are modular and often sold on a subscription basis, an evolution that perhaps coincides with the rise of modern subscription services such as video streaming.”
Infostealers have become particularly effective with the rise of remote and hybrid work as companies adapt to allow employees to access work services from personal devices and personal accounts from work devices. This creates an opportunity for infostealers to randomly compromise an individual on, say, a home computer, but end up with corporate access credentials because that individual was also logged into work systems. Additionally, employees with personal email and social media accounts open, even on corporate devices, make it easier for infostealer malware to evade corporate protections.
“I started paying attention to this as it became an enterprise issue,” Mandiant’s Carmack said, “especially around 2020, because we started seeing more enterprise intrusions that started with a home computer being compromised. This is phishing people’s Yahoo accounts, Gmail accounts, Hotmail accounts that have nothing to do with enterprise targeting, but it seems very opportunistic to me.”
Victoria Kibilevich, director of threat research at security firm KELA, said criminals sometimes use cybercrime marketplaces to search the domains of potential targets to see if they have available credentials. Kibilevich said the sale of infostealer data can be seen as a “supply chain” for different types of cyber attacks, including ransomware operators looking for details of potential victims, people involved in business email compromise, and even initial access brokers who can resell the details to other cybercriminals.
Kibilevich said more than 7,000 compromised credentials linked to Snowflake accounts have been shared on various cybercrime marketplaces and on Telegram. In one example, criminals are touting access to 41 companies in the education sector, while another cybercriminal claims to be selling access to U.S. companies with revenues between $50 million and $8 billion, according to Kibilevich’s analysis.
“I don’t think there’s a single company that’s come to us and hasn’t had an account compromised by infostealer malware,” Kibilevich said of the threat that infostealer logs pose to businesses, with KELA saying infostealer-related activity has spiked in 2023. Irina Nesterovsky, KELA’s chief research officer, said millions of credentials have been harvested by infostealer malware in recent years. “It’s a real threat,” Nesterovsky said.
Carmakal said that businesses and individuals can take multiple measures to protect themselves against infostealer threats and their impact, such as using antivirus and EDR products to detect malicious activity. He said that businesses should strictly enforce multi-factor authentication for users. “We encourage people not to sync passwords on corporate devices with their personal devices,” Carmakal added.
Because the use of infostealers is so effective, it’s almost inevitable that cybercriminals will try to replicate the success of Snowflake-like intrusions and get creative about other enterprise software services they can use as entry points to gain access to different customer companies. Carmack warned that he expects to see more breaches in the coming months as a result of this. “There’s no ambiguity about this,” he said. “Threat actors will start looking for infostealer logs, they’ll look for other SaaS providers that are similar to Snowflake, they’ll log in and steal data and extort money from those companies.”
