A credible threat actor is offering access to the email accounts of hundreds of C-level executives for $100 to $1500 per account.
Access to the email accounts of hundreds of C-level executives is available on the Exploit.in for $100 to $1500 per account. Exploit.in is a popular closed-access underground forum for Russian-speaking hackers, and it isn’t the only one, other prominent forums are fuckav.ru, Blackhacker, Omerta, and L33t.
The news reported by ZDnet is not surprising, I have discovered several times such kind of offer, but it is important to raise awareness on the cybercrime-as-a-service model that could rapidly enable threat actors to carry out malicious activities.
The availability of access to the email accounts of C-level executives could allow threat actors to carry out multiple malicious activities, from cyber espionage to BEC scams.
The threat actor is selling login credentials for Office 365 and Microsoft accounts and the price depends on the size of the C-level executives’ companies and the internal role of the executive.
The threat actor claims its database includes login credentials of high-level executives such as:
- CEO – chief executive officer
- COO – chief operating officer
- CFO – chief financial officer or chief financial controller
- CMO – chief marketing officer
- CTOs – chief technology officer
- Vice president
- Executive Assistant
- Finance Manager
- Finance Director
- Financial Controller
- Accounts Payables
ZDnet confirmed the authenticity for some of the data available for sale.
“A source in the cyber-security community who agreed to contact the seller to obtain samples has confirmed the validity of the data and obtained valid credentials for two accounts, the CEO of a US medium-sized software company and the CFO of an EU-based retail store chain.” reported ZDNet.
At the time of writing, it is unclear how the threat actor has obtained the login credentials.
Experts from threat intelligence firm KELA, speculate the threat actor could have obtained the credentials buying “Azor logs,” which are lots of data stolen from computers infected with the AzorUlt info-stealer trojan.
Data collected by info-stealers are available for sale in the underground, threat actors use to buy and parse them searching for sensitive data such as account credentials.
In July, the US Department of Justice has indicted a hacker that goes online with the moniker Fxmsp for hacking over three hundred organizations worldwide and selling access to their networks.
Once the hacker gained access to the network, they deployed password-stealing malware and remote access trojans (RATs) to harvest credentials and establish persistence in the system.
The name Fxmsp refers a high-profile Russian- and English-speaking hacking group focused on breaching high-profile private corporate and government information.
Since March 2019, Fxmsp announced in cybercrime forums the availability of information stolen from major antivirus companies located in the U.S.
Between 2017 and 2018, Fxmsp created a network of trusted proxy resellers to promote their breaches on the criminal underground.
Fxmsp used to compromise Active Directory of target organizations and ensure external access through remote desktop protocol (RDP) connections.
Turchin attempted to sell access to these networks on hacker forums (i.e. Exploit.in, fuckav.ru, Club2Card, Altenen, Blackhacker, Omerta, Sniff3r, and L33t) and dark web marketplaces for prices ranging between a few thousands of dollars up to over $100,000.
The group also claimed to have developed a credential-stealing botnet capable of infecting high-profile targets and exfiltrate sensitive data, including access credentials.
In 2019, Fxmsp confirmed to have breached the networks of some security companies and to have obtained long-term access.
The group offered access to single companies for $250,000 and is asking $150,000 for the source code of the software. Buyers can also pay at least $300,000 to acquire both, the price depends on the compromised company.