Infostealers infect computers, steal all of the credentials saved in the browser along with active session cookies and other data, then export it back to command and control infrastructure before, in some cases, self-terminating.
This article will explore the ways in which threat actors utilize credentials to break into privileged IT infrastructure to create data breaches and distribute ransomware.
Leaked credentials from traditional sources are still a prominent and substantial risk to organizations.
We monitor more than 14 billion leaked credentials found from dumps across the dark web.
This gives us a unique perspective into how threat actors are acquiring, distributing, and using leaked credentials.
Tier 1 leaked credentials result from a third-party application/service breaches, and all of the users of that service having their passwords compromised and distributed in a data dump on the dark web.
Attackers breach Scatterholt and access the identity and access management system, then they steal these credentials and leak them onto the dark web.
This leak allows threat actors to use brute forcing/pentesting tools to attempt to brute force credentials for thousands of users on other applications that they may have used the same password for.
First and most importantly: monitor a leaked credentials database for corporate employee emails.
Secondly, require users to routinely reset passwords on a time-schedule so that if a specific password is breached, they will have already rotated other corporate credentials.
These credentials usually come from previous known breaches, or stealer logs, or sometimes totally made up; the original source is never totally clear, but the sheer amount of credentials one can acquire through combolists combined with frequent password reuse on the user's part still makes them a considerable attack vector.
Tier 2 leaked credentials pose a special degree of risk to companies.
These are credentials harvested directly from the user through infostealer malware that steals all passwords saved in the browser.
A single stealer log will contain all of the credentials the user saved in their browser.
These logs contain the plain text username, password, and host for the credentials, often for hundreds of different logins.
Finding a fresh stealer log being distributed with corporate credentials should immediately prompt an incident investigation, as it is highly likely that the passwords are working and that actors could directly access corporate resources.
If you aren't monitoring for leaked credentials and you likely have single-factor authentication for many of your employees since many of them will have exposed passwords.
Many people are under the impression that having two-factor authentication enabled is protection enough from stolen credentials, but the reality, as we've witnessed many times over, is that threat actors are very conscious of the barrier 2FA imposes and have techniques and strategies to get over the hurdle.
Flare monitors more than 14 billion leaked credentials distributed on the dark web and hundreds of millions leaked through infostealer malware.
Our platform sets up in 30 minutes and provides robust detection for leaked employee credentials across hundreds of forums, channels, and marketplaces.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 18 Jan 2024 16:00:14 +0000