Security tools can generate Event ID 4663 logs when unauthorized processes attempt to access browser files like Local State or Login Data. According to recent research, web browsers typically store these credentials in an encrypted format within a credential store, but threat actors have developed methods to extract them in plaintext. For technical teams, monitoring file system access to browser credential stores using tools like Sigma rules can improve detection capabilities. Other actors exploiting this vulnerability include the Iranian-linked Ajax Security Team, China-based APT3, Iranian military-affiliated APT33, North Korean group APT37, and Iran’s IRGC-associated APT42. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The most prominent threat is Agent Tesla, a spyware that can harvest credentials from multiple browsers while also collecting screenshots and clipboard data. A critical vulnerability in Microsoft Telnet Server enables attackers to bypass authentication completely, potentially gaining administrator access without valid credentials. To detect these attacks, organizations should monitor file access patterns to browser credential stores. As a result, attackers can gain unauthorized access to both personal and enterprise accounts, increasing the risk of privilege escalation and lateral movement within targeted networks. With over 6,000 active threat indicators currently circulating, the risk of credential compromise through browser storage mechanisms remains critically high. “We’ve seen a significant increase in browser credential theft operations since early 2025,” explains cybersecurity researcher Steven Lim. Another concerning actor is APT41, a Chinese cyber threat group conducting both state-sponsored espionage and financially motivated operations. The implications are severe as compromised browser credentials often lead to privilege escalation when these credentials overlap with administrative accounts. Organizations should also consider deploying modern credential management solutions that provide additional protection layers beyond what browsers natively offer. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. The encrypted data is then decrypted using the Windows API function CryptProtectData, which leverages the victim’s cached logon credentials as the decryption key. The T1555.003 technique exploits the convenience feature in modern browsers that saves login credentials. She is covering various cyber security incidents happening in the Cyber Space. As this threat continues to evolve, security professionals must remain vigilant.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 06 May 2025 06:10:07 +0000