The Growing Threat of Cybercrime Empowered by Stolen Credentials

Cybercriminals are increasingly turning to stolen credentials as a valuable commodity on the underground market. According to a report by cybersecurity firm Flashpoint, last year saw 4,518 data breaches reported, with attackers stealing or exposing 22.62 billion credentials and personal records.

Over 60% of these were stolen from organizations in the information sector. Flashpoint’s database of threat intelligence includes 575 million posts on illegal forums, 3.6 billion chat messages, 39 billion compromised credentials, 85 billion unique email/password credentials, and over 2 billion credit card numbers that were stolen and then shared among cybercriminals.

Ransomware gangs operate on a service-based model, paying affiliates to break into networks and deploy their ransomware program for a large cut of any ransom payments made by victims. Affiliates often buy access into networks from initial access providers, who rely on stolen credentials to gain access, particularly credentials for remote access services such as VPNs and Remote Desktop Protocol (RDP). In 2022, LockBit was the most successful ransomware group, attracting many of Conti’s former collaborators by revamping its affiliate program with better deals.

Flashpoint recorded 3,164 publicly listed victims of ransomware gangs in 2022, an increase of 7% over the previous year. Based on trends seen in 2023, the company estimates that the number of victims this year is on track to exceed the 2022 number. Illicit markets directly impact data breaches and cyberattacks, with fraudsters, initial access brokers, ransomware groups, and advanced persistent threat (APT) groups alike turning to these markets to trade in stolen credentials and personal records.

Data breaches are one of the top sources for exposed credentials, but while hacking is the top cause for individual data breaches, this method is only responsible for 28% of the leaked credentials and records that make their way onto underground markets. Over 71% of credentials and personal records were leaked from only 5% of data breaches and were the result of misconfigurations of databases and services.

Phishing is another popular way of stealing credentials from users, with phishing kits being routinely available to purchase and new techniques being developed. Malware programs that can extract login credentials saved in browsers and other applications are also in high demand on underground forums.

Finally, exploits for known vulnerabilities are a hot commodity and can lead to data breaches. Flashpoint analysts recorded 766 instances where cybercriminals discussed vulnerabilities by CVE identifier on underground forums with prices for reliable exploits fetching between $2,000 and $4,000 but going up to $10,000 for more advanced ones.