More than 225,000 logs containing compromised OpenAI ChatGPT credentials were made available for sale on underground markets between January and October 2023, new findings from Group-IB show.
These credentials were found in information theft logs associated with the LummaC2, Raccoon, and RedLine stealer malware.
“The number of infected devices decreased slightly in mid- and late summer, but grew significantly between August and September,” the Singapore-based cybersecurity firm said in its published Hi-Tech Crime Trends 2023/2024 report last week.
Between June and October 2023, more than 130,000 unique hosts with access to OpenAI ChatGPT were infiltrated, a 36% increase over what was observed during the first five months of 2023. The breakdown for the top three stealer families is below :
- LummaC2 – 70,484 hosts
- Raccoon – 22,468 guests
- Red line: 15,970 hosts
“The sharp increase in the number of ChatGPT credentials for sale is due to the overall increase in the number of hosts infected by information thieves, whose data is then put up for sale on marketplaces or in UCLs,” Group-IB said.
The development comes as Microsoft and OpenAI revealed that the nation-states of Russia, North Korea, Iran and China are experimenting with artificial intelligence (AI) and large language models (LLMs) to complement their cyber attack operations in progress.
Stating that LLMs can be used by adversaries to brainstorm new trading techniques, create convincing scams and phishing attacks, and improve operational productivity, Group-IB said the technology could also speed up reconnaissance, facilitate execution of kits of hacking tools and make robocalls to scammers.
“In the past, [threat actors] they were primarily interested in corporate computers and systems with access that allowed movement across the network,” he noted. “Now they are also focused on devices with access to public AI systems.
“This gives them access to logs with the history of communications between employees and systems, which they can use to search for sensitive information (for espionage purposes), internal infrastructure details, authentication data (to conduct even more malicious attacks) and information on the application’s source code.”
The abuse of valid account credentials by threat actors has emerged as a privileged access technique, fueled primarily by the easy availability of such information via stealer malware.
“The combination of the rise of infostealers and the abuse of valid account credentials to gain initial access has exacerbated defenders’ identity and access management challenges,” IBM X-Force said.
“Corporate credential data can be stolen from compromised devices through credential reuse, browser credential storage, or access to corporate accounts directly from personal devices.”