Threat Research

How Cybercriminals Buy Access: Logins, Cookies, and Backdoors

Varonis
How Cybercriminals Buy Access: Logins, Cookies, and Backdoors

The article describes how a mature underground access economy commoditizes remote credentials, infostealer logs, breach databases, and web shells, letting specialists trade and monetize each part of the attack chain. This industrialized market features products like Fortinet VPN credentials, infostealer families (e.g., Redline), and operators such as DAISY CLOUD that sell structured logs and subscriptions. #Redline #DAISYCLOUD

Keypoints

  • Attackers now buy and sell access as standardized products—remote credentials, infostealer logs, breach databases, and web shells—rather than performing every step themselves.
  • Remote access credentials (VPN and RDP) are listed with metadata (organization, region, industry, product) and sold at prices that scale with target value; sellers may guarantee exclusive access.
  • Infostealer families like Redline, Raccoon, Vidar, Lumma, and Risepro harvest browser-saved passwords, session cookies, wallets, and tokens, then distribute structured, searchable logs via subscription channels.
  • Breach databases from past incidents are categorized by geography, sector, freshness, and field completeness, and are used for credential reuse, reconnaissance, and identity construction.
  • Web shells provide persistent, credentialless backdoors after initial exploitation, and are sold with details like OS, privileges (root), and target type (e.g., government systems).
  • Market features—reputation systems, escrow, and standardized listings—lower entry barriers and allow specialization, turning access into a scalable, industrialized cybercrime economy.

MITRE Techniques

  • [T1566 ] Phishing – Used as a credential-harvesting vector (‘harvest credentials through vulnerability exploitation, credential stuffing, or phishing’)
  • [T1078 ] Valid Accounts – Attackers use harvested VPN/RDP credentials to authenticate and gain network access (‘Enterprise remote access gives employees secure connectivity … Once you authenticate, you’re in.’)
  • [T1110.003 ] Credential Stuffing – Automated reuse of credentials to take over accounts harvested from breaches or stealer logs (‘harvest credentials through … credential stuffing’)
  • [T1190 ] Exploit Public-Facing Application – Vulnerability exploitation is used to gain initial access and install backdoors or web shells (‘An attacker who exploits a vulnerable web application or unpatched file upload form gains initial access and installs a small script’)
  • [T1555.003 ] Credentials from Web Browsers – Infostealers extract saved passwords, autofill data, and authentication tokens from browsers (‘systematically extract everything of value like saved passwords from browsers, session cookies, autofill data, cryptocurrency wallets, and authentication tokens’)
  • [T1539 ] Steal Web Session Cookie – Session cookies stolen by infostealers are reused to inherit authenticated sessions without needing passwords or MFA (‘If an infostealer grabs that cookie while valid, an attacker can import it into their browser and inherit the authenticated session.’)
  • [T1505.003 ] Web Shell – Web shells are planted backdoors that accept commands via HTTP and persist beyond the original vulnerability (‘installs a small script that accepts commands via HTTP … the shell remains.’)

Indicators of Compromise

  • [Credentials ] remote access used for initial intrusion – Fortinet SSL VPN credentials for educational institutions (example listing: seven Fortinet SSL VPN credentials), RDP account access for internal machines
  • [Malware Families ] infostealer sources of harvested data – Redline, Raccoon (examples of families that produce stealer logs)
  • [Session Tokens/Cookies ] session hijacking enabling authenticated access – stolen browser session cookies (used to import authenticated sessions without MFA)
  • [Data Dumps / Files ] breach database artifacts – 24,000 HTML files and thousands of PDF documents from three Egyptian government ministries (example dump), and other database fields like full names, emails, phone numbers
  • [Backdoors / Web Shells ] persistent remote command execution – root RCE and shell access to a government revenue management system (example sale: Linux OS, root-level permissions)
  • [Service/Subcriptions ] stealer log distribution channels – DAISY CLOUD subscription listings (pricing examples: $400 for 7 days, $1,350 per month)

Read more: https://www.varonis.com/blog/how-hackers-buy-access