The Cloud and the Dark Web
The dark web has been the go-to place for shady deals for some years now. It comes then to no surprise that just as one can purchase credit card numbers or other type of data commodity, one can also acquire Cloud accounts access credentials. And the market is thriving!
In the period from July 2020 through July 2021, IBM conducted a dark web research into cloud accounts access black market. In this time period IBM X-Force identified some 30,000 cloud accounts potentially for sale on the dark web. They were available from as little as a few USD to over 15,000 USD.
What makes a cloud account valuable on the dark web?
The price of a cloud account will depend on a mixture of factors. The first one is
Credit on the account
The more credit on the account, the higher the value of the account.
Cloud account owners can credit their cloud account with funds – say 1,000 USD worth – to give their resources the flexibility of being able to scale up if needed. And just like with dealing with counterfeit money, there is a value ratio for money available on the account to the price paid for it. And in 2021 the ration was approximately 20:1. Which means an account with 1,000 USD credit would be worth about 50 USD. Some malicious actors even offer warranties on sold access with a refund promise if the account becomes unavailable (access lost) within 7 to 14 days of sale.
A ratio of 20:1 is not a lot and IBM provides four potential reasons for this. The first two are two sides of the same coin – there is either a large supply or a low demand for cloud accounts on the dark web. Other possibility is that the rate of monetization for credited accounts could be low. Yet another option IBM presents is the risk to the buyer of losing on their ‘investment’ once the actual account holder realises the account has been compromised and restricts access to the account. Lastly, it is easy to open an account oneself cutting out on the effort on acquiring the account on the dark web.
An account based in western Europe for example will have a higher value to threat actors which combines with potentially high amount of credit on the account, raises the threat profile of the organisation owing such account.
Level of access
Naturally accounts with higher level of access are of more value to the malicious actor with root access credentials being the most valuable.
Attack and pivot
In general, there are two reasons for rouge actors to acquire illicit access to a cloud account. One is a way and means for attackers to use cloud resources to conduct illegal activities such as cryptomining or as a platform to execute attacks in the web from trusted addresses. Another one is to gain a foothold in an organisation’s environment in order to pivot to other parts of the organisation’s network and its assets.