Throughout numerous eras, the shadowy realm of the deep web has constructed and sustained its own ever-changing economy, fueled by the procurement and transactions of pilfered information, user authentication details, and corporate intellectual property. Similar to any contemporary marketplace, the economy of the dark web is influenced by the principles of supply and demand.
A recent X-Force Cloud Threat Landscape Report has illuminated this reality, exposing a novel pattern in the regular rates for purloined cloud access credentials. Since the year 2022, there has been a gradual decrease in market pricing for these compromised records, prompting the query: Have we hit a point where there is an excess and devaluation of these credentials in the dark web ecosystem?
Emergence of a reduced pricing trend in the fresh cloud threat report
In its fifth consecutive year of studying the cloud threat landscape, the X-Force unit of IBM has amassed and scrutinized data ranging from June 2022 to June 2024 from various origins to unearth significant observations and emerging tendencies linked to cloud susceptibilities and dark web metrics.
In cooperation with Cybersixgill, a prominent cyber intelligence entity specializing in evaluating and overseeing deep web and dark web actions, the X-Force group has noted a consistent decline in the prices at which stolen cloud credentials are traded.
During 2022, the mean rate for cloud access credentials stood at $11.74, which dwindled to $10.68 in 2023, further dropping to $10.23 in 2024. This three-year pattern translates to an overall 12.8% reduction in value, potentially illustrating a transition in both supply and demand dynamics for these illicit assets.
Possible factors contributing to the reduced cost of credential pricing
When assessing the year-on-year decline in the significance of cloud access credentials, numerous potential influencers can be identified steering this transformation. To provide some insight on this subject, Colin Connor, a member of IBM’s X-Force unit, was approached to share thoughts on the shifting dynamics of the dark web market.
Offering a different viewpoint and assisting in creating a vital contrast between “cloud credentials” and “cloud access,” Connor clarifies that these stolen credentials are deemed as “low-hanging fruit for cyber offenders… credentials are acquired from stored login details in a contaminated system via information collectors, and no validation has taken place yet. Essentially, someone has sifted through all the discarded letters in the vicinity, collected all the information available, and then offered it for sale.”
Another aspect to consider is that although lower-quality credentials are openly accessible on dark web platforms, not all cyber criminals adopt identical approaches to finance their endeavors. “One plausible cause behind the drop in mean price points is that the more valuable credentials are being sold by perpetrators outside of the dark web arenas as business access or exposed data breaches,” as stated by Connor, subsequently influencing general statistics.
Peruse the Cloud Threat Landscape Report
Do recent tendencies signify market “saturatedness” or “standardization”?
At initial glance, it may seem evident that the appetite for stolen cloud credentials is waning and the market has hit a saturation threshold. Nonetheless, by amalgamating these trends with other elements, the comprehensive perspective starts to become more distinct.
While conversing with Connor, it is probable that the recent drops in average price points for cloud credentials between 2022 and 2024 are more inclined towards market “standardization” rather than indicating a continued downturn in global depreciation.
“Our observations indicate that typically, the majority of credentials are purchased at the $10 mark. This price accounted for more than 80% of the market rates throughout all the years… $20 represents the pivotal point,” Connor remarks. “It’s these exceptions — normally less than 10% — that have led to irregularities between 2021 and 2024.”
“These alterations are not particularly significant… essentially, what is unfolding is merely a normalization of the market pricing.”
While these types of credentials serve a purpose for cyber delinquents, the authentic profits stem from vending tangible cloud access. These legitimate access credentials can fetch thousands of dollars for high-profile assets.
Implications of lower pricing of cloud credentials on criminal priorities
Although the influx of stolen cloud credentials on the dark web may be relegating this form of cyber malfeasance to a lower priority, this does not implicitly signify a slackening in the focus on acquiring cloud system entry.
While the rates for unverified user credentials remain low, infiltrators are likely to intensify efforts towards exploiting recognized vulnerabilities in cloud systems that provide more direct pathways to access. According to the recent OWASP Top 10 list, organizations should anticipate a surge in attacks targeting SQL injections, cryptographic breakdowns, and flawed access control frameworks. These vulnerabilities present a more dependable and direct route to valuable data and assets within applications and cloud setups.
One additional trend identified by IBM’s X-Force squad is the utilization of Cross-Site Scripting (XSS) to furnish straightforward access and privilege elevation in cloud environments. XSS was reported as the foremost identified cloud vulnerabilities and exposures (CVEs) highlighted in the report and poses a substantial threat that needs monitoring.
This assault methodology enables offenders to hijack session codes and redirect users to malicious websites. From there, they can jeopardize access levels and deploy various tools, including crypto miners, data thieves, ransomware, and other forms of hazardous malware.
Surveillance and adaptation in response to the novel threat landscape
As each passing year unfolds, it is imperative for organizations to routinely monitor and adjust their defense tactics in reaction to emerging trends in dark web intelligence. This encompasses fortifying identity security posture, establishing comprehensive threat modeling schemes, and reinforcing their incident response competencies.