The ability to infiltrate an organization deeply and discreetly makes stolen credentials a prized asset on the dark web, where they’re bought and sold among cybercriminals looking to leverage them for various illegal and harmful activities.
Hackers value credentials highly because they serve as the easiest route of initial access to protected systems, data, and resources within an organization.
Once obtained, an end user’s stolen credentials can be used as a platform for further exploits such as deploying malware, identity theft, financial fraud, and advanced persistent threats against the organization.
Initial Access Brokers and Dark Web Marketplaces
The cybercriminal landscape has evolved from a broad approach to a more specialized segmentation, with new categories of cybercriminals emerging as service providers periodically. Initial access brokers (IABs) exemplify this trend, acting as key intermediaries who grant other cybercriminals access to corporate networks.
In the cybercriminal underground ecosystem, products are commonly sold through various venues, including major and specialized cybercriminal forums, marketplaces, private sales on messaging platforms, and private e-commerce shops.
A closer examination revealed that the services and product offered by IABs are predominantly sold through major underground forums and private messaging platforms. Our Outpost24 KrakenLabs’ analysts did not find any forums or shops solely dedicated to corporate initial access.
The Dangers of Having Your Organizations’ Credentials on The Dark Web
Dark web forums are frequented by a mix of hackers, IABs and cybercriminals who engage in the exchange of stolen data, forged documents, and malware.
The stolen credentials are valuable as they can be used to infiltrate further organizations, commit fraud, or gain unauthorized access to confidential systems and information.
Forming trusted partnerships between Initial Access Brokers (IABs) and ransomware groups has become a common practice, enabling the exchange of access for financial profit.
Our KrakenLabs’ analysts have observed that ransomware affiliates often engage with access broker advertisements and seek partnerships with IABs, underscoring the interconnected nature of threat actors within the cybercriminal ecosystem.
In any way, the presence of such data on the dark web poses a significant risk to the affected organization's security and requires proactive measures to mitigate potential damage.
How Can Credentials End Up in the Wrong Hands?
Your organization's credentials can end up for sale on the dark web through various means, usually involving the activities of cybercriminals or even hyper-specialized groups called “traffers”. These include infostealer infections, previous databreaches, credential dumps as well as targeted attacks where cybercriminals successfully breach your organization's systems and steal user credentials through attacks such as spear phishing.
Why Do You Need Visibility Over Your Leaked Credentials?
An organization should be highly concerned if their credentials are found on a dark web forum because this indicates a serious security breach has taken place (and worse could be on the way).
As a common saying goes: “Cybercriminals Don't Break In, They Log In!”
The presence of organizational credentials on the dark web exposes the organization to follow up attacks using the stolen information. Cybercriminals can use these credentials to gain unauthorized (and oftentimes undetected) access to the organization’s systems, if they haven’t attempted to do so already.
This goes for credentials of all kinds! By exploiting techniques for lateral movement attackers can expand their privileges, implement malware, and possibly gain access to sensitive information such as intellectual property, employee data, and customer information. This not only jeopardizes the security of the organization but also that of its clients and partners and can incur hefty fines and reputational damages.
Additionally, the sale of credentials, collected in such a breach, on the dark web can facilitate the spread of more targeted phishing campaigns, ransomware attacks, and other forms of cybercrime, escalating the potential for significant business disruption and financial liabilities. Therefore, monitoring the dark web for mentions of an organization’s credentials and taking proactive security measures is crucial for maintaining the integrity and security of an organization’s digital assets.
Scan For Leaked Credentials With An External Attack Surface Management (EASM) Solution
Outpost24’s external attack surface management (EASM) solution integrates threat intelligence data into its platform to help monitor for leaked credentials on the dark web. This can help you find out if users of any of your domains have had their credentials leaked, letting you know if there are any passwords matched with user email addresses or user names found online. From there, IT teams can act and proactively close off these attack routes by alerting end users and forcing password resets.
Leaked credentials are just one area EASM can help with. An EASM solution offers continuous discovery, analysis, and monitoring of everything connected to your company’s online exposure, including domains, websites, hosts, services, technologies, SSL certificates, and more. If you’d like to see firsthand what EASM can do, book a free analysis of your attack surface here.
