Story image

Credential theft industry booming in US, declining in Asia & EU

10 Oct 18

Compromised credentials are a constantly occurring headache for businesses and consumers around the world.

However, research from enterprise-class cyberthreat intelligence company Blueliv shows the rate of stolen credentials depends significantly on where you are in the world.

It was a great harvest for cybercriminals targeting North America in the second quarter of 2018, as compromised credentials retrieved from botnets geolocated to the region skyrocketed 141 percent quarter over quarter (March to May 2018 over June to August 2018).

Meanwhile, Europe and Russia actually saw a decrease of 22 percent, while Asia plummeted 36 percent. Obviously, there were some profitable campaigns in North America over the quarter.

The data holds even more insights when taken to a deeper level. For instance, between just July and August, geolocated credentials detected from Europe and Russia fell 33 percent, while Asia surged 77 percent.

According to Blueliv, this suggests a sizeable botnet was taken down in Europe, while a campaign targeting Asia was thriving.

“All it takes is a single good credential for a threat actor to gain access to an organisation and cause havoc,” says Blueliv CEO and founder Daniel Solís .

“We are observing a booming market for credential theft, and the latest statistics show that this sort of cybercrime is a truly global enterprise. By understanding the lifecycle of the compromised credential, CISOs seeking to protect their business and analysts looking for IOCs gain valuable information to shrink their attack surface.”

In terms of the malware families being used by cybercriminals, Pony, KeyBase, and LokiPWS (also referred to as Loki Bot) were consistently the most common tools of choice, but when it comes to popularity Pony has always been several lengths ahead of its counterparts.

However, LokiPWS is hot on its heels as in May its distribution had gone through the roof by more than 300 percent year over year. During the second quarter LokiPWS samples almost doubled, with a 91 percent increase quarter over quarter.

Solís says the growth of LokiPWS is of particular concern. It can be used as both a loader for other malware as well as a password and cryptowallet stealer. It is widely available from a variety of underground markets as a modular product, usually priced between US$200-300 depending on the desired use.

“Our analysts have been following the development of a huge variety of malware families,” says Solís.

“Source code leaks of different versions of LokiPWS in recent years have probably influenced its increase in usage as a credential stealer, but this does not mean that we should discount the likes of Pony, Emotet, KeyBase and AZORult, which continue to be disturbingly effective around the world.”

Blueliv shares its intelligence in a bid to socialise cybersecurity and encourage parity to enable businesses around the world to fight cybercrime collaboratively.

Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.