{"id":19753,"date":"2022-08-04T05:20:56","date_gmt":"2022-08-04T13:20:56","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/08\/04\/news-13486\/"},"modified":"2022-08-04T05:20:56","modified_gmt":"2022-08-04T13:20:56","slug":"news-13486","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/08\/04\/news-13486\/","title":{"rendered":"Genesis Brings Polish to Stolen-Credential Marketplaces"},"content":{"rendered":"

Credit to Author: Yusuf Polat| Date: Thu, 04 Aug 2022 11:00:02 +0000<\/strong><\/p>\n

\n

In our recent <\/span>Active Adversary report<\/span><\/a> on trends we\u2019ve seen over the past year, Sophos X-Ops flagged the remarkable increase in median \u201cdwell time\u201d \u2013 the amount of time attackers spend in a system before they\u2019re removed (or even noticed). A portion of that increase is due to the rise of initial access brokers (IABs) \u2013 services that handle the work of getting a foothold on a victimized system, learning what\u2019s available on it, and stealing relevant cookies and other identifiers. IABs make their money by gaining and maintaining access until they can sell it to other criminals. It\u2019s another sign of the growing professionalization and specialization of the cybercrime sphere.\u00a0<\/span>\u00a0<\/span><\/p>\n

Genesis Marketplace is one of the earliest full-fledged IABs, and certainly one of the most polished. Here\u2019s how it works.\u00a0<\/span>\u00a0<\/span><\/p>\n

Portrait of an IAB<\/span><\/b>\u00a0<\/span><\/p>\n

Genesis \u2013 called Genesis Marketplace, or Genesis Store, or Genesis Market; the site refers to itself inconsistently \u2013 is an invitation-only marketplace. It sells stolen credentials, cookies, and digital fingerprints that are gathered from compromised systems, providing not just the data itself but well-maintained tools to facilitate its use.<\/span>\u00a0<\/span><\/p>\n

Genesis has been active since 2017 and currently lists more than 400,000 bots (compromised systems) in over 200 countries. Italy, France, and Spain lead the list of affected nations. The attacker appeal of Genesis\u2019 collection isn\u2019t the size of its data aggregation; it\u2019s the quality of the stolen information that Genesis offers and the service\u2019s commitment to keeping that stolen information up to date.\u00a0<\/span>\u00a0<\/span><\/p>\n

(The word \u201cbot\u201d in this situation might not be the usage a casual infosec observer would expect. Genesis and similar marketplaces use the term \u201cbot\u201d for individual compromised systems; in this case it refers specifically to the credential-harvesting, home-phoning automated malware on the compromised system. Persistent bots on victims\u2019 systems enable Genesis to tout the fact that once customers pay for stolen information, Genesis will keep that information updated as it changes over time.)<\/span>\u00a0<\/span><\/p>\n

Genesis claims that as long as it has access to a compromised system, that system\u2019s fingerprints will be kept up to date. In other words, Genesis customers aren\u2019t making a one-time buy of stolen information of unknown vintage; they\u2019re paying for a de facto subscription to the victim\u2019s information, even if that information changes. This makes the stolen data Genesis sells more useful for attackers and thus more valuable.\u00a0<\/span>\u00a0<\/span><\/p>\n

Rounding out the dark appeal of Genesis are several customer-service features that let bad actors concentrate on doing crimes, not tech: A polished interface with good data-correlation capabilities; effective and well-maintained tools for customers, including a robust search function; and mainstream accoutrements such as an FAQ, user support, pricing in dollars (though payment is in Bitcoin), and competent copyediting.\u00a0<\/span>\u00a0<\/span><\/p>\n

The Customers<\/span><\/b>\u00a0<\/span><\/p>\n

Who are Genesis\u2019 customers? IABs attract criminals looking to expedite infiltration into, and lateral movement within, a targeted system. Speeding up those steps reduces the time required to attack effectively, and it minimizes detection by processes that look for certain kinds of suspicious movement. One side effect of the rise of IABs? A net increase in dwell time on compromised systems \u2013 the most interesting data trend we saw in our 2022 report on active adversaries.<\/span>\u00a0<\/span><\/p>\n

While it’s often difficult to ascertain exactly who purchases data and access from IABs, ransomware groups and affiliates are frequent customers. The most common tactic attackers carry out with data of this sort is credential stuffing, in which stolen credentials are used to bombard a targeted service or business in an attempt to gain access. Using fingerprint data rather than simple stolen user ID \/ password combos to do a credential-stuffing attack helps attackers mask the fact that the onslaught is coming from a single point. This can help attackers bypass specific countermeasures sites have put in place to prevent credential stuffing attacks.<\/span>\u00a0<\/span><\/p>\n

\u00a0In any case, customer access to Genesis is invitation-only. Interestingly, this fact has spawned a robust secondary market for Genesis invitations. It\u2019s also led to other criminal-activity sites pretending to be Genesis and, in effect, scamming would-be scammers seeking access to the marketplace.<\/span>\u00a0<\/span><\/p>\n

Persistently Compromised Data<\/span><\/b>\u00a0<\/span><\/p>\n

Unlike old-school combo lists and dumps of unrelated stolen credentials once shared in underground forums such as RaidForums and Breach Forums, IABs such as Genesis list individual bots with their corresponding cookies and other credentials. That lets threat actors see individual victims\u2019 contexts, understand relationships between stolen data, and obtain more comprehensive information about the compromised system. And, as noted above, Genesis actively works to keep that information current. This in turn creates new areas for more innovative attacks. For instance, a darknet manual that we found during a recent investigation suggests to other criminals that they use complementary data (victim data beyond whatever\u2019s required to access a specific account) from Genesis for kicking victims out of their accounts if stolen credentials are no longer valid:<\/span>\u00a0<\/span><\/p>\n

\"Screen<\/a><\/p>\n

Figure 1: Advice to would-be persistent attackers; Skrill is a provider of digital wallets, \u201cfullz\u201d is the full set of information on the victim (e.g., name and address), and the writer is talking about things attackers might do with Genesis data besides just attacking a victim\u2019s wallet<\/span><\/i>\u00a0<\/span><\/p>\n

In other words, even if victims realize their credentials are stolen and change their passwords to block the attackers, attackers can use complementary data to actively extort affected users. Meanwhile, as long as Genesis retains a foothold on the compromised machine, the credentials will eventually be re-stolen.\u00a0<\/span>\u00a0<\/span><\/p>\n

The more data Genesis has on a victim, the more the service charges for access to that bot: A victim represented by only a couple of user ID \/ password combos for social-media accounts can be had for under a dollar, while a victim whose information includes access for multiple bank accounts might go for hundreds of dollars. That allows the customer to buy precisely the information they need, perhaps even just one account\u2019s worth. For instance, the single set of credentials that led to the June 2021 EA breach, which famously allowed the attackers into EA\u2019s system through the gaming giant\u2019s Slack, were <\/span>purchased on Genesis<\/span><\/a> for $10.\u00a0<\/span>\u00a0<\/span><\/p>\n

Bespoke Anti-Detection Tools<\/span><\/b>\u00a0<\/span><\/p>\n

Once a would-be attacker has found a likely victim, Genesis facilitates the process of using the stolen information while, crucially, avoiding detection. The service offers two browser-based options for getting, editing, and using stolen information automatically: a Chrome extension and an \u201cungoogled\u201d version of Chromium with a Genesis extension. The latter, called the \u201cGenesium\u201d browser, is advertised on the site as \u201ccontinually maintained and upgraded by the Genesis team.\u201d<\/span>\u00a0<\/span><\/p>\n

\"A<\/a><\/p>\n

Figure 2: Choose your well-maintained weapon<\/span><\/i>\u00a0<\/span><\/p>\n

\u00a0To be clear, detection avoidance \u2013 an important step for attackers once they\u2019ve gained access \u2013 isn\u2019t a subset solely of Genesis\u2019 (or any other IAB\u2019s) offering; there are a number of tools available online, just as there are more IABs in the world than Genesis. Anti-detection tools vary in how they shield the attacker\u2019s browser from being identified; some are tuned to specific kinds of targets, such as social media. Genesis in this respect is worthy of note for being an integrated system; though more experienced attackers might mix and match tools and IABs to formulate their campaigns, the bar for successful attacks is uncomfortably low here.<\/span>\u00a0<\/span><\/p>\n

Getting In<\/span><\/b>\u00a0<\/span><\/p>\n

As mentioned, Genesis is an invite-only service, which has created demand by would-be bad guys for initial access to such a service. This demand creates a secondary marketplace providing matchmaker-like access for threat actors and invitation-only platforms such as Genesis, such as that shown in Figure 3:<\/span>\u00a0<\/span><\/p>\n

\"A<\/a><\/p>\n

Figure 3: Invite codes for Genesis for sale, allegedly<\/span><\/i>\u00a0<\/span><\/p>\n

During our investigation, we occasionally found sites that claimed to be Genesis or Genesis-connected but were instead scam sites looking to separate would-be criminals from their credit-card information. One of these, which appears prominently in Google searches of \u201cgenesis market,\u201d claims to offer free access to the marketplace but then requests a $100 deposit to \u201cactivate\u201d the user\u2019s account. Ultimately, signs point to the site not actually providing the would-be attacker with entry to the Genesis kingdom.<\/span>\u00a0<\/span><\/p>\n

Slick Interface<\/span><\/b>\u00a0<\/span><\/p>\n

We\u2019ve noted that the data-correlation capabilities of Genesis are robust \u2013 comparable in their way to mainstream data-aggregation services. Likewise, the sites themselves are far from the old days of 133tsp34k and Matrix-wannabe interfaces. Genesis has a wiki and a page of Frequently Asked Questions; it has multilingual tech support; the text is well-written, and thought has gone into how to present the data in an appealing way. Return visitors are greeted with a dashboard describing which of their purchased bots (compromised systems) have been updated since their last visit. The data is easily searchable.<\/span>\u00a0<\/span><\/p>\n

Two views of Genesis\u2019 bot-search screens give a sense of its clean design:<\/span>\u00a0<\/span><\/p>\n

\"Bot-search<\/a><\/p>\n

Figure <\/span>4<\/span>: <\/span>The bot-search page<\/span> where<\/span> customers seek their bots. Among the types of information available are the hex \u201cname\u201d of each<\/span> bot, information on the services and subscriptions it includes, the IP address and country of the bot, information on its operating system, and the current price<\/span><\/span>\u00a0<\/span><\/em><\/p>\n

\"The<\/a><\/p>\n

Figure 5: The Extended Search screen showing the URL of the targeted service, the IP address of the bot, country, operating system in use, and date parameters<\/span><\/i>\u00a0<\/span><\/p>\n

Conclusion<\/span><\/b>\u00a0<\/span><\/p>\n

Over the years, malicious-actor watering holes have come and gone, but overall being an Online Bad Guy took some skills, some digging, and some introductions to groups and resources that weren\u2019t easy to find. Once those were found, actually getting access to and finding the treasure on a compromised system was hard, time-sensitive work \u2013 and the effort itself made nascent attacks easier for defenders to detect.<\/span>\u00a0<\/span><\/p>\n

Those were happier times.\u00a0 Specialization in the online-crime sector brought us the IAB, specialists in gaining access and stealthily maintaining it for others \u2013 holding open the door, as it were, to other miscreants willing to pay. Professionalization brought us the polished likes of Genesis. The results, as we saw in this year\u2019s Active Adversary report and continue to see as our Rapid Response and Managed Threat Response teams work with client after client, speak for themselves\u2026 in lingering tones.<\/span>\u00a0<\/span><\/p>\n

For further reading<\/span><\/b>\u00a0<\/span><\/p>\n

Kivilevich, Victoria and Raveed Laeb, \u201c<\/span>The Secret Life of an Initial Access Broker<\/span><\/a>\u201d<\/span>\u00a0<\/span><\/p>\n

Ongoing IAB survey coverage from Digital Shadows: 2020 (<\/span>recap<\/span><\/a> and <\/span>full report<\/span><\/a>), <\/span>2021<\/span><\/a>\u00a0<\/span><\/p>\n

Pernet, Cedric, \u201c<\/span>Initial access brokers: How are IABs related to the rise in ransomware attacks?<\/span><\/a>\u201d<\/span>\u00a0<\/span><\/p>\n<\/p><\/div>\n

http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Yusuf Polat| Date: Thu, 04 Aug 2022 11:00:02 +0000<\/strong><\/p>\n

Four years on, Genesis Marketplace remains the go-to underground market for easy access to other people\u2019s data<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[14011,25788,27216,3765,27030,16771],"class_list":["post-19753","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-cybercriminals","tag-genesis","tag-iabs","tag-ransomware","tag-sophos-x-ops","tag-threat-research"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19753","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19753"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19753\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19753"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19753"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19753"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}