Genesis IAB Market brings Polish to the dark web
The growing role of so-called Initial Access Brokers (IABs) in the cybercrime underground economy is reflected in the evolution of Genesis Marketplace, one of the first full-fledged marketplaces for IABs, which has become more sophisticated and refined over time.
A report released this week by Sophos takes an in-depth look at Genesis, which debuted in 2017 and offers malicious actors access to other people’s data, from credentials and cookies to digital fingerprints, through its invite-only marketplace. .
Genesis currently lists over 400,000 bots (compromised systems) in over 200 countries, with Italy, France and Spain topping the list of affected countries.
The marketplace not only provides the data itself, but well-maintained tools to facilitate the (mis)use of that data. These tools extend to bespoke anti-detection offerings that help its customers stay under the radar when deploying stolen credentials to access targeted bots, including a Google Chrome extension and even a Genesium browser. “constantly maintained and updated”.
“Most attackers, especially less experienced ones, don’t want to waste time or effort in the reconnaissance and infiltration phases of an attack,” said Angela Gunn, threat researcher at Sophos. “The maturity of Genesis, both the ease of use and the serious inquiry vibe that comes with restricted access, means no time or effort is wasted.”
The service is defined by the high level of quality of the data offered, as well as by the site’s commitment to keeping the stolen information up to date.
This means that hackers who pay for stolen information are kept informed by Genesis when that information changes or is updated. Users are charged a rate based on the amount of information they have about the targeted bot.
“For example, the only set of credentials that led to the June 2021 EA data breach, which allowed attackers to access EA’s system via the gaming giant’s Slack, was purchased from Genesis for $10,” according to the report.
Genesis also offers its customers a level of customer service and user interface (UI) polish that Sophos describes as “a far cry from the old days of 133tsp34k and Matrix-wannabe interfaces”. This includes a sleek and contemporary interface, a Frequently Asked Questions (FAQ) page, and multilingual technical support.
Repeat users also have access to a dashboard with up-to-date information on compromised systems in which they have mined.
“The fact that Genesis actually has a customer service feature is a statement that reinforces the seriousness of the operation,” Gunn points out.
BFIs are becoming more professional as demand grows
The evolution of Genesis indicates the “increasing professionalization and specialization” of the cybercrime economy, the report notes.
Ransomware groups and affiliates are believed to be the service’s most frequent customers, especially criminals looking for an IAB site that gives them expedited access and faster lateral movement to their targets.
Gunn explains that the “Dark Web” – which of course isn’t just one thing – has been professionalizing for a while now.
“Candidate vetting, robust search, technical support, developers and designers – this work is not free,” she adds. “Paying for this work shows how high the profits are in this business.”
A high level of organization also sets the Genesis market apart, giving malicious actors more contextual information about stolen data and enabling them to better understand compromised systems. It could actually spur even more inventive attack vectors.
“For example, a darknet manual we found during a recent investigation suggests other criminals use additional Genesis data to kick victims out of their accounts if the stolen credentials are no longer there. valid,” according to the report.
This means that even if victims attempt to neutralize the threat of stolen credentials, attackers can use the additional data to actively extort affected users.
The processing of the velvet rope
The invite-only accessibility of the service adds to the air of exclusivity and sophistication, which has resulted in a smaller cybercrime ecosystem of bogus sites promising access to Genesis and forcing gullible criminals to make a “deposit”. with a credit card to access it.
In November 2021, Digital Shadows, which has been tracking IABs since 2016, reported an increase in the use of IABs among cybercriminals.
Gunn says that if organizations want to avoid landing on the IAB auction block, they must first fix any vulnerabilities, keep their systems in order, and stay vigilant.
“Even though IABs are a more recent development in the threat landscape, reconnaissance and infiltration processes are nothing new,” she adds. “Organizations need to have a detection strategy in place to recognize these unusual activities, but you also need to understand your network, what’s in it, what potential attack surfaces are, and where to prioritize remediation accordingly.”