The growing role of so-called initial access brokers (IABs) in the underground cybercrime economy is reflected in evolution of Genesis Marketplace, one of the earliest full-fledged markets for IABs, which has grown more sophisticated and polished over time.
A report this week from Sophos takes a comprehensive look at Genesis, which started in 2017 and offers malicious actors access to other people’s data, from credentials and cookies to digital fingerprints, through its invitation-only marketplace.
Genesis currently lists more than 400,000 bots (compromised systems) in more than 200 nations, with Italy, France, and Spain topping the list of affected countries.
The market provides not just the data itself but well-maintained tools to facilitate that data's (mis)use. Those tools extend to bespoke anti-detection offerings that help its clients stay under the radar when deploying stolen credentials to access targeted bots — including a Google Chrome extension and even a "continually maintained and upgraded" Genesium browser on offer.
"Most attackers, especially less-experienced ones, do not want to waste time or effort on the reconnaissance and infiltration phases of an attack," explains Sophos threat researcher Angela Gunn. "The maturity of Genesis, both the ease of use and the serious-inquiries-only vibe that come with restricted access, speaks to not wasting time or effort."
The service is defined by the high quality level of data on offer, as well as the site's commitment to keeping stolen info up to date.
This means hackers who pay for stolen information are kept abreast by Genesis of when that information changes or gets updated. Users are charged an according rate based on the volume of information it has on the targeted bot.
"For instance, the single set of credentials that led to the June 2021 EA data breach, which famously allowed the attackers into EA’s system through the gaming giant’s Slack, were purchased on Genesis for $10," according to the report.
Genesis also offers its clientele a level of customer service and user interface (UI) polish that Sophos describes as "far from the old days of 133tsp34k and Matrix-wannabe interfaces." This includes a slick, contemporary interface, a page of frequently asked questions (FAQs), and multilingual tech support.
Returning users also have access to a dashboard with updated information about the compromised systems they've tapped into.
"The fact that Genesis actually has a customer-service function is a statement that bolsters the operation’s seriousness," Gunn points out.
IABs Get More Professional as Demand Rises
The evolution of Genesis points to the "growing professionalization and specialization" of the cybercrime economy, the report notes.
Ransomware groups and affiliates are assumed to be the service's most frequent customers, particularly criminals who are looking for an IAB site that gives them expedited access and faster lateral movement to their targets.
Gunn explains that the "Dark Web" — which of course is not just one thing — has been professionalizing for a while now.
"Applicant vetting, robust search, tech support, developers, and designers — that work doesn’t happen for free," she adds. "Paying for that work evidences just how high the profits are in this realm."
A high level of organization also distinguishes the Genesis market, giving malicious actors more contextual information surrounding stolen data, and allowing them greater insights into the compromised systems. This could in fact spur even more inventive attack vectors.
"For instance, a darknet manual that we found during a recent investigation suggests to other criminals that they use complementary data from Genesis for kicking victims out of their accounts if stolen credentials are no longer valid," according to the report.
This means that even if victims attempt to neutralize the threat of stolen credentials, attackers can use the complementary data to actively extort affected users.
The Velvet Rope Treatment
Adding to the air of exclusivity and sophistication is the service's invite-only accessibility, which has resulted in a smaller cybercrime ecosystem of fake sites promising access to Genesis and requiring gullible criminals to make a "deposit" with a credit card to access it.
In November 2021, Digital Shadows, which has been tracking IABs since 2016, reported an increase in the use of IABs among cybercriminals.
Gunn says if organizations want to avoid landing on the IAB auction block, they first must patch all vulnerabilities, keep their systems in order, and stay vigilant.
"Even if IABs are a newer development in the threat landscape, the processes of recon and infiltration are nothing new," she adds. "Organizations should have a detection strategy in place to recognize those unusual activities, but also you need to understand your network, what’s on it, what the potential attack surfaces are, and where to prioritize patching accordingly."