Cybercrime has become increasingly challenging to defend against because of its scale, which has been enabled by the cybercrime-as-a-service economy. Rather than lone wolf cybercriminals performing every task needed to compromise and monetize a computer or account, those tasks are now covered by specialists. Malware and botnets can be rented. Vulnerability information can be purchased. Cybercriminals no longer have to learn how to do every action to execute an operation. They can buy the components or services needed for a specific fraud, allowing them to focus their energy on the part that delivers illicit revenue. A key component of cybercrime-as-a-service is the sale of login credentials or access to accounts.
Those sales often occur on underground markets. Genesis Market has been one of the most prolific markets for credentials and account access. On April 5, 2023, the U.S. Department of Justice and Europol unveiled a significant international law enforcement operation involving 17 countries that disrupted the market. Access brokering that took place on Genesis was linked to account takeover (ATO) fraud to data theft attacks against enterprises through to ransomware attacks. Genesis sold login credentials and session cookies stolen by information-stealer (infostealer) malware that had infected end-user computers. With access to session cookies, attackers could gain access to accounts without entering login credentials and bypass multifactor authentication (MFA). Genesis offered a browser called Genesium and a browser plug-in that enabled attackers to spoof the digital “fingerprint” of their victim’s computer, allowing a greater chance of bypassing security systems designed to detect ATO fraud. While law enforcement action against Genesis resulted in the seizure of at least 10 clearnet domains, its Tor site is still running, and its administrators have indicated they will set up new infrastructure. This blog post will explore why Genesis Market and other credential markets pose a risk to enterprises and what can be done to combat the effect of infostealers.
Threat Actor Use
We assessed during its operation that Genesis Market primarily appealed to low-level actors interested in consumer-level ATO fraud. Advanced actors tend to be more interested in downloading raw bot data, which Genesis didn’t offer. Raw bot data is useful for automation as well as use in other so-called “anti-detect” (a term for browsers that can spoof the digital fingerprints of victims) browsers that perform similar to the Genesium browser. However, successful hacking groups and at times, ransomware groups, did draw on it as a source for initial access. As this story in Vice’s Motherboard shows, the Genesis Market interface could filter by URL to allow discovery of enterprise-related session cookies, such as those belonging to identity provider Okta and Slack, a corporate messaging product.
In one example of an enterprise compromise, the LAPSUS$ group attacked the video game publisher Electronic Arts (EA) in June 2021. The threat actors claimed to have exfiltrated data for The Sims and FIFA 21 games. They then offered in the same month to sell about 780 GB of EA’s proprietary data. One of the group’s members claimed that the intrusion started with the purchase from the Genesis Market of stolen cookies for US $10, which then led to account access for one of EA’s Slack channels. The person then allegedly messaged a member of EA’s information technology (IT) support team and pretended they’d lost their phone at a party. The IT support team allegedly twice provided MFA support codes, which allowed the attackers to access other services and download game source code.
As mentioned before, Genesis Market’s data came from infostealers. Intel 471 tracks the development and deployment of numerous infostealers, such as RedLine, Raccoon and Vidar. The impact of infostealers cannot be understated. Infostealers provide a steady pipeline of stolen credentials to brokers who then market those credentials in underground forums, Telegram channels and via private sales. Intel 471 predicts that in 2023 malware logs from infostealers will continue to be one of the primary sources for initial access. Here are recommendations for countering infostealers and the replaying of account credentials:
Prevent infostealer infections: It’s critical that enterprises take steps to stop infostealer infections. Employees in hybrid working environments who may use personal devices not managed by IT but are logging in to corporate resources could face greater risks of becoming infected by infostealers due to poor security hygiene. Endpoint detection software can help detect infostealers. Users should avoid installing software from questionable sources or downloading pirated software. Spam and phishing attacks are also a frequent source for infostealer infections. Botnets such as Emotet send spam runs containing a “loader,” or a small piece of malware that if installed on a machine will eventually download an infostealer. Users should be educated to avoid opening suspicious attachments in emails.
Strong authentication: Account credentials sold on marketplaces do not necessarily always have an accompanying session token. In those cases, MFA may be enough to stop ATO. At times, attackers have successfully obtained MFA tokens from victims, either through text messages, phone calls or other types of phishing and social engineering. Strong authentication, which usually involves using hardware keys tied to biometric data that must be inserted into a computer to authenticate to a service, is one of the best ways to stop advanced attacks that seek to subvert MFA. Also, setting short expiry dates for cached cookies to limit the session duration can also make stolen cookies obsolete.
Detecting account compromise: Detecting the use of a compromised account may be difficult. Threat actors often use anti-detect browsers in combination with HTTP proxies that have IP addresses in the general vicinity of the victims whose accounts they are misusing. Cloudflare describes here some of the signals it uses to spot potentially compromised accounts, including IP addresses. The logging of an IP address from an unknown location or servers, such as a different country or a network range belonging to virtual private network (VPN) providers, could be a sign of illegitimate account use. In those instances, invalidating session tokens and prompting a user to sign in again could be one course of action. Monitoring the use of an account for behavior that is divergent from normal use patterns may be another way to spot unauthorized access.
Monitor underground markets: Initial access brokers (IABs) make money by selling access. To do that, they market credentials and access on underground markets and forums. Victims are sometimes advertised by name. If not, IABs may describe in general terms what entity the access data belongs to, and human engagement with those actors can often lead to an identification. This kind of intelligence can help defenders identify possible infected machines and reset access credentials to prevent ATO.
Intel 471 monitors underground marketplaces where credentials are sold, including Genesis.
By creating alerts within Intel 471’s TITAN intelligence platform, enterprises can get warnings when credentials affecting their domains are offered for sale. Advance warning can allow for time to take defensive action as threat actors are still trying to monetize the access. In 2022, Intel 471 analysts calculated an average time of 79 days between when initial access was advertised on a forum to when the access was purchased by a ransomware affiliate.
Genesis: An Assessment and Outlook
The action against Genesis dealt a disruptive blow by impairing its clearnet infrastructure, but the impact may be marginal long term. Law enforcement seized 10 domains and also captured its database of customers, which numbered more than 59,000 users. As a result, 119 people were arrested (such as this 26-year-old alleged Genesis customer in the U.S.) and 208 properties were searched. But as with many cybercrime-related law enforcement actions, there are limitations. Not all threat actors can necessarily be identified nor arrested if they’re in jurisdictions that will not extradite. After the disruption, the marketplace’s operators claimed they would set up new infrastructure, and the Tor version of its site is still online.
More broadly, the threat that comes from initial access brokering will continue. This component of the cybercrime-as-a-service market is the starting point for schemes such as banking fraud, online retail fraud, enterprise-level intrusions and ransomware. If confidence in Genesis falls, other markets such as RussianMarket and Telegram channels will likely fill this void. Enterprises should stay vigilant and take steps to ensure their authentication and access systems are optimized for an aggressive threat environment.