A new research from Trend Micro revealed that cybercriminals are using cloud services to accelerate their attacks, in turn decreasing the amount of time enterprises have to identify and respond to a breach. The research also found an underground market “Cloud of Logs” operated by malicious actors who sell stolen credentials to other hacker forums.
Massive Data Trade on Dark Web
Trend Micro stated that terabytes of stolen data trading in cloud logs are making cyberattacks more widespread and effective globally. Information about internal business data and logins for popular providers like Amazon, Google, Twitter, Facebook, and PayPal are put up on sale on the dark web. Attackers sell these logs of cloud data on a subscription basis for $1,000 per month. Access to a single log can include millions of records, where frequently updated data sets can even fetch higher prices.
Trend Micro warned that easy access to stolen credentials allow cybercriminals to streamline and accelerate the execution of attacks and potentially expand their number of targets.
“Once access is purchased for logs of cloud-based stolen data, the purchaser will use the information for secondary infection. For example, Remote Desktop Protocol (RDP) credentials can be found in these logs and are a popular entry point for criminals targeting enterprises with ransomware. This data is sold via access to the cloud logs in which it is stored. This results in more stolen accounts being monetized, and the time from initial data theft to stolen information being used against an enterprise has decreased from weeks to days or hours,” the report said.
Robert McArdle, director of forward-looking threat research for Trend Micro, said, “The new market for access to cloud logs ensures stolen information can be used more quickly and effectively by the cybercrime community—that’s bad news for enterprise security teams. This new cybercriminal market shows how criminals are using cloud technologies to compromise you. Which also means a business is not exempt from this attack method if they only use on-prem services. All organizations will need to double down on preventative measures and ensure they have the visibility and controls needed to react fast to any incidents that occur.”