Atlantis AIO: The big ‘all-in-one’ credential stuffing platform

There’s a new ‘all in one’ tool making headlines, and this one isn’t just your everyday hacking tool. An ‘all-in-one’ (AIO, AiO) tool is a malicious service, software, or platform that integrates multiple functionalities into a single system. AIOs are designed to simplify and streamline malicious credential-based activities, such as credential stuffing and account takeover. The Atlantis AIO credential stuffing as a service (CSaaS) platform was uncovered last year by researchers at Sift Science, who found it advertised on the Telegram messaging service: 

Atlantis AIO is remarkable for its expansive services and pre-configured modules. It is considered a significant escalation in credential-based cyberattacks due to its scalability and intuitive design. It is also a more advanced threat due to its capabilities to bypass certain types of security measures.

What is an AIO?

There are plenty of cybercrime tools that do more than one thing, but an AIO tool generally refers to a credential-based attack system. That may change as the landscape evolves, but that’s how it’s used today. We can clarify the distinction by comparing AIOs with other classifications:

Attack tools are distinguished by their primary functions, which makes it easier for security professionals to track, analyze, and defend against threats.

The first generation of credential attacks appeared in the 2000’s. These were built for brute-force attacks and ‘credential testing,’ which is a different class of credential stuffing. These tools were often limited to single platform attacks, and threat actors usually targeted email and FTP servers. Automation advancements in the following decade improved the efficacy of credential attack tools, and the rise of modular software development accelerated the deployments of multivector/multifunction attacks. Instead of brute-force cracking a single platform, threat actors could deploy a core attack with modules for different targets, exploits, and attack vectors. More importantly, they could change and improve modules as desired.

These improvements have continued, which is why we are now facing this massive CSaaS platform, Atlantis AIO.

Why credential stuffing?

We can’t appreciate the impact of this new platform without understanding the impact of the crime it facilitates. Maintaining secure credentials is genuinely one of the most important areas of cybersecurity. It’s why the security industry is so focused on topics like zero trust access, the principle of least privilege (PoLP), multi-factor authentication (MFA), and phishing protection.

The most common way for threat actors to gain access to your systems and online accounts is simply by logging in with stolen credentials. The Verizon 2024 Data Breach Investigations Report (DBIR), about 77% of web application breaches are made possible by stolen credentials. 

Let’s consider how these credentials are stolen. Phishing is already a top threat, and it just keeps growing. Phishing-as-a-service platforms and phishing botnets accelerate this activity, and it’s important to remember that a phishing email attack doesn’t just try to steal credentials. Most are designed to install malware like ransomware or infostealers that will expand the footprint of the crime. Many credentials are stolen through credential dumping techniques during a crime in progress. Hundreds of millions of credential sets have been compromised through the many corporate data breaches for which we do not have details.

Credential stuffing is the most successful credential-based attack because it’s based on login credentials already stolen in previous attacks. This is why you should never reuse passwords, even when you think it’s harmless. 

The cycle of credential theft

Credentials are big business, and credential stealing is cyclical. Here’s a simple look at how this works:

Initial compromise: Credentials are stolen through phishing emails, infostealer malware, data breaches, or some other method.

Harvesting and aggregation: The stolen credentials are packaged for distribution or sale on a dark forum. Cybercriminals may sort these credentials by domain or company and process them into a high-value and easily consumed format.  Threat actors like Medusa ransomware steal credentials for their own attacks. They may plan to sell or freely distribute the credentials after this.

Sales and distribution: You’ll often see Initial Access Brokers (IABs) purchase stolen credentials so they can initiate their own credential-based attacks. IABs use the credentials to gain access to high-value targets, and then they sell the information to other threat actors. This allows threat actors to purchase access to a system, rather than just purchase credentials that might work. IABs are part of the cybercrime supply chain. Threat actors may also use purchase credentials for other types of attacks, depending on what information is included in the list.

Credential stuffing attacks: Other threat actors purchase these lists and use automated tools like Atlantis AIO to launch credential stuffing attacks. In the simplest terms, these attacks are trying to log in to different services using these stolen credentials to see if people used the same password for multiple accounts.

Repeated account compromise: Some sets of the credentials will work, and this leads us back to the earlier stages of harvesting and selling more credentials.

The credential theft cycle is self-sustaining because people reuse passwords across multiple services and the credentials usually remain available for a long time after they’ve been compromised. 

There are billions of stolen credential sets available on the dark web, and readily available through lists like RockYou2024 or Collection #1, and a 2022 study estimated that credential stuffing attacks have a success rate of 0.2 to 2%. That success rate fluctuates, but it’s based on a data set that keeps getting larger. From a threat actor’s point of view, credential sets AND access into a network are two different income streams, so this type of crime can be the foundation of a lucrative operation.

Atlantis AIO

The damage done by credential-based attacks is the reason Atlantis AIO may be a serious problem.  This platform automates credential stuffing attacks across multiple platforms, including email services, e-commerce sites, banks, VPNs, and food delivery services, and now it’s part of the supply chain for ransomware groups and advanced persistent threats (APTs). Here’s why it is considered so dangerous:

The tool is user-friendly, allowing even novice attackers to execute sophisticated attacks without needing extensive technical knowledge. This accessibility lowers the barrier for new threat actors to engage in credential-based crime. It also makes it easier for experienced criminals to initiate attacks.

Atlantis AIO has a modular framework, and the owners offer pre-configured modules that target roughly 140 platforms. This modularity allows attackers to easily switch between different types of attacks and platforms. It also makes it easier for the developers to add new targets and adapt existing attacks to new security measures.

The tool is designed for ‘as-a-service’ efficiency and scalability. It can test millions of stolen usernames and passwords in rapid succession, making it easier for attackers to execute large-scale attacks with minimal effort.

Atlantis AIO includes specialized attack modules for email account testing, brute force attacks and recovery processes. These modules can bypass security measures like CAPTCHAs and automate password reset processes. This streamlines and optimizes account takeover attacks.

Email account testing: These modules facilitate brute force attacks for popular email platforms. These facilitate account takeover attacks, they include inbox takeover functionality that supports additional crimes like data theft and phishing or spam campaigns.

Brute force attacks: These modules automate the ‘guessing’ of passwords.   

Recovery modules: These are tools to bypass security measures like CAPTCHA, and they work with specific services like eBay and Yahoo. Atlantis AIO also includes an ‘auto-doxer recovery’ function, which pairs with the tool that defeats the CAPTCHA challenge, which can then allow threat actors to change passwords and lock out the legitimate user.

The auto-doxing recovery feature is one of the main characters of Atlantis AIO. It collects all available data on the victim and uses the harvested data to bypass security questions. This data can be from publicly available sources like social media, or it can come from data stolen in previous leaks. The auto-doxing recovery function uses this information to guess the answers to security questions. If this works, Atlantis AIO can reset the password and gain full control before the victim notices.

It’s hard to calculate how much damage will be done with Atlantis AIO. It’s hardly the first automated credential attack tool, and it’s not the first crime offered as-a-service. Atlantis AIO could live a long life, or it might go offline before it does more damage. Regardless of how it lives or dies, Atlantis AIO could trigger a watershed moment in credential-based attacks. Credential stuffing reached unprecedented levels in 2024, when researchers first observed Atlantis AIO offered on Telegram. Although it was not a dominant tool in 2024, we can’t dismiss this platform as contributing to that increase.

What you can do

• Stop reusing your passwords. That’s the big one.
• Use a password manager that allows you to store unique and complex passwords in a user-friendly way.
• Use multi-factor authentication wherever possible.
• Consider switching to a passwordless authentication method.
• Avoid public wi-fi for sensitive logins or transactions.
• Stay alert for phishing attempts. Learn to recognize suspicious emails, links, and websites.
• Monitor for leaked credentials. Most password managers include this in the service.

What your company can do

In addition to supporting all of the above, companies can employ additional layers of security against credential stuffing:

• Implement rate limiting and throttling to limit the number of login attempts allowed by an account or an IP address.
• Use CAPTCHA and other challenge-response tests. This works best when combined with other defenses.
• Monitor login behavior with artificial intelligence (AI) and analytics. Behavioral analysis can establish a pattern for user logins and detect unusual activity, like credential stuffing, before it succeeds.
• Deploy web application firewalls to defend against this type of attack.
• Adopt passwordless authentication like biometrics or one-time codes.
• Use a security awareness program to educate employees on scams, phishing, and best practices.
• Monitor for leaked credentials associated with your domain. Threat intelligence services will actively monitor darkweb forums and other channels for information related to your domain. 

Barracuda can help

Barracuda’s advanced network-security platform can help you implement a modern, passwordless authentication system that allows users to access your network and resources easily and transparently — while effectively locking out malicious intruders. Take a look and get started with a free trial.