Malware
Exposed Secrets: Unmasking Data Breaches, Stolen Credentials & Illicit Dark Web Bazaars
Infostealer malware is a significant and often underestimated threat to corporate information security teams. These malicious programs infect computers, steal credentials saved in browsers, along with active session cookies and other data, and send it back to the attacker’s command and control infrastructure. In some cases, the malware even self-terminates after completing its mission.
In this article, we’ll discuss how cybercriminals use stolen credentials to gain unauthorized access to privileged IT infrastructure, leading to data breaches and ransomware attacks. But infostealers aren’t the only threat; leaked credentials from more traditional sources continue to pose substantial risks to organizations.
It’s no secret that people often reuse the same password across multiple applications, creating a perfect opportunity for hackers to brute force their way into software-as-a-service (SaaS) and on-premises applications.
At IT Services, we currently monitor over forty million stealer logs. This number is growing by millions every month, with an expected increase in 2024. Additionally, we monitor over 14 billion leaked credentials found in data dumps across the dark web.
This unique perspective allows us to see firsthand how threat actors acquire, distribute, and use leaked credentials.
Understanding Leaked Credentials
To better comprehend leaked credentials, we can categorize them into tiers based on the method of leakage and the risk they pose to organizations. This approach, pioneered by Jason Haddix, helps security professionals clearly communicate credential leak risks to managers and corporate executives.
Tier 1 Leaked Credentials
Tier 1 leaked credentials result from third-party application or service breaches. When these breaches occur, all users of the affected service have their passwords compromised and distributed in a data dump on the dark web. This is the most common type of leaked credential.
For example, imagine a fictional corporation called Scatterholt with user logins for hundreds of thousands of consumers. If attackers breach Scatterholt and access the identity and access management system, they could steal these credentials and leak them onto the dark web.
Scatterholt could force a password reset for all users, but it’s likely that many users have reused the same password across other services. This leak gives threat actors the opportunity to use brute force techniques to gain access to other applications that share the same password.
Defending Against Tier 1 Leaked Credentials
Organizations can employ several well-researched defenses to reduce risk. First and foremost: monitor a leaked credentials database for corporate employee emails. This single action can make a massive difference as threat actors deliberately target passwords associated with corporate email addresses to facilitate data breaches.
Secondly, require users to routinely reset passwords on a schedule, ensuring that if a specific password is breached, they will have already rotated other corporate credentials.
Finally, we recommend using a password manager with a policy requiring employees to randomize passwords for various applications and store them securely, reducing the risk of employees making only minor changes to passwords.
The Special Case of Combolists
Combolists are collections of credential pairs, organized by service or geographically, used by cybercriminals in combination with brute force tools to attempt to gain access to various services.
Source: IT Services
These credentials often come from previous known breaches, stealer logs, or are entirely fabricated. The exact source is never entirely clear, but the sheer volume of credentials available through combolists, combined with frequent password reuse, makes them a significant attack vector.
Tier 2 Leaked Credentials
Tier 2 leaked credentials pose a unique risk to companies. These credentials are harvested directly from users through infostealer malware that steals all passwords saved in the browser.
We consider tier 2 leaked credentials to be of significantly increased risk to both the company and the user for the following reasons:
- A single stealer log will contain all of the credentials the user saved in their browser. This creates a perfect opportunity for threat actors to socially engineer the victim, the IT help desk, or even the company using the victim’s information.
- These logs contain the plain text username, password, and host for the credentials, often for hundreds of different logins. Threat actors have an enormous advantage when they can see dozens of password variations that the user uses.
- These logs often contain form-fill data with answers to secret questions, which can be effectively used to bypass websites with secret questions.
Source: IT Services
Tier 3 Leaked Credentials
This tier of leaks, also from stealer logs, poses an extreme risk to organizations. Fresh stealer logs often contain active session cookies, which threat actors can easily use for session hijacking attacks. In these attacks, they impersonate the victim and potentially bypass two-factor authentication (2FA) and multi-factor authentication (MFA) controls.
Discovering a fresh stealer log with corporate credentials should immediately prompt an incident investigation, as it’s highly likely that the passwords are working and that threat actors could directly access corporate resources.
Source: IT Services
Defending Against Tier 3 Leaked Credentials
Limit the time-to-live (TTL) for corporate applications to reduce the risk of session cookies remaining valid if distributed as a result of an infostealer infection.
Multi-Factor Authentication Isn’t a Silver Bullet
Not monitoring leaked credentials likely means that many of your employees use single-factor authentication, as their passwords may have been exposed. Many people believe that enabling 2FA is sufficient protection against stolen credentials, but the reality is that threat actors are aware of the obstacle 2FA presents and have developed techniques to overcome it.
Whether through social engineering of employees, using 2FA bots to capture one-time codes/passwords from victims, or even SIM-swapping, there are many ways to bypass MFA controls that are actively used in the wild.
The best defense against these types of attacks involves using authenticator apps, which feature temporary rotating codes instead of one-time passwords received via email or SMS. These applications are usually more secure and ensure that the user controls a second device to some extent.
Concerned about Credentials? We Can Help
IT Services monitors more than 14 billion leaked credentials distributed on the dark web and hundreds of millions leaked through infostealer malware.
Our platform sets up in 30 minutes and provides robust detection for leaked employee credentials across hundreds of forums, channels, and marketplaces.
Sponsored and written by IT Services.
Malware
RansomHub Launches Daring Cyberattack on Kawasaki, Warns of Massive Data Leak
Kawasaki faces a cyberattack from RansomExx, a ransomware group that threatens to leak stolen data on the RansomHUB dark web portal. The company confirms unauthorized access to European and Japanese servers, and is taking measures to prevent further damage.
Picture this: You’re going about your day, and suddenly, your entire business comes to a screeching halt. You’ve been hit by a cyberattack, and your critical data is now in the hands of cybercriminals. This nightmare scenario recently played out for Kawasaki Motors Europe, as the RansomHub ransomware gang targeted their EU headquarters and threatened to leak stolen data.
But Kawasaki didn’t take this lying down. They immediately jumped into action, working diligently to clean their systems of any “suspicious material,” such as malware. According to their announcement, they isolated their servers and initiated a strategic recovery plan. By working with external cybersecurity experts, they began checking each server one by one before reconnecting them to the corporate network. Their efforts are paying off, with 90% of their server infrastructure expected to be restored by the start of next week.
Now, you might be thinking, “That’s great for Kawasaki, but what does this have to do with me?” The answer is simple: cyberattacks can happen to anyone, and they’re becoming more prevalent and sophisticated every day. In fact, RansomHub alone has breached 210 victims from a wide range of critical U.S. infrastructure sectors since its launch in February, according to a joint advisory between the FBI, CISA, and the Department of Health and Human Services (HHS).
Don’t become a statistic: Learn from Kawasaki’s experience
Kawasaki’s story serves as a valuable lesson for all of us. When faced with a cyberattack, it’s crucial to act quickly and decisively, partnering with cybersecurity experts to mitigate the damage and protect your valuable data. But even better than reacting to an attack is preventing one from happening in the first place.
So, what can you do to safeguard your business and personal data from cybercriminals? Here are a few key steps:
- Keep your software up to date. Regularly updating your software helps to patch any security vulnerabilities that cybercriminals could exploit.
- Invest in strong security measures. This includes firewalls, antivirus software, and secure network connections, as well as employee training on cybersecurity best practices.
- Regularly back up your data. Having a secure, up-to-date backup of your data can help you recover more quickly in the event of an attack.
- Monitor for suspicious activity. Regularly review your network logs and other activity to identify any potential threats or breaches.
Let’s work together to keep your data safe
Here at IT Services, we understand the importance of keeping your data secure and are committed to helping you protect your business from cyberattacks. Our team of cybersecurity experts is available to guide you through the process of implementing robust security measures and ensuring your business is prepared to face any potential threats.
To learn more about how we can help you safeguard your business and personal data, get in touch with us today. And remember, the best defense against cyberattacks is a proactive approach to cybersecurity. So, don’t wait for disaster to strike—take action now to keep your data safe and secure.
Malware
Fortinet Acknowledges Massive Data Breach: Hacker Boasts Theft of 440GB Files
Fortinet, a network security company, has confirmed a data breach after a hacker claimed to have stolen 440GB of files. The breach is believed to have exposed client information, including email addresses and passwords. Fortinet is investigating the incident and taking steps to mitigate the potential impact on its customers and partners.
You may have heard about the recent data breach at cybersecurity giant Fortinet, and it’s worth taking a closer look at what happened to understand the risks and implications. The company is one of the largest cybersecurity providers in the world, offering a range of products and services such as secure networking devices, network management solutions, and consulting services.
A Threat Actor Strikes
Recently, a threat actor claimed to have stolen a whopping 440GB of data from Fortinet’s Microsoft Sharepoint server. This individual, going by the name “Fortibitch,” announced the theft on a hacking forum and even shared credentials to an alleged storage bucket containing the stolen data.
We have not accessed this storage bucket to verify its contents, but it’s important to note that the threat actor claimed to have attempted to extort Fortinet into paying a ransom to prevent the data from being published. Fortinet, however, refused to pay.
Fortinet’s Response
When we reached out to Fortinet about this incident, the company confirmed that customer data had indeed been stolen from a “third-party cloud-based shared file drive.” They described the breach as involving “limited data related to a small number of Fortinet customers.”
Initially, Fortinet did not disclose the number of affected customers or the nature of the compromised data, but they did state that they had “communicated directly with customers as appropriate.” In a later update on their website, Fortinet revealed that the breach affected less than 0.3% of its customer base and had not resulted in any malicious activity targeting those customers.
It’s also worth noting that Fortinet confirmed the incident did not involve data encryption, ransomware, or access to their corporate network. We have contacted Fortinet with additional questions about the breach, but have not received a reply at this time.
Not the First Time
This isn’t the first time Fortinet has been targeted by threat actors. In May 2023, an individual claimed to have breached the GitHub repositories of Panopta, a company acquired by Fortinet in 2020, and leaked stolen data on a Russian-speaking hacking forum.
A Call to Stay Informed and Vigilant
As this incident demonstrates, even the most prominent cybersecurity companies can fall victim to data breaches. That’s why it’s crucial to stay informed about the latest threats and to take steps to protect your own data and networks. We’re here to help you navigate the ever-evolving cybersecurity landscape and to provide the expertise and support you need to safeguard your digital assets.
Don’t hesitate to reach out to us to learn more about how we can help you stay ahead of the curve in cybersecurity, and be sure to keep coming back for the latest updates and insights.
Malware
Transport for London Reveals Alarming Cyberattack: Customer Data Compromised
Transport for London (TfL) has confirmed customer data was stolen in a cyber attack. TfL’s Oyster card and contactless payment systems were targeted, resulting in a partial shutdown of online services. The transport operator urges users to change their passwords and remain vigilant for potential phishing emails or fraudulent activity.
Did you know that on September 1st, the urban transportation agency, Transport for London (TfL), was hit by a cyberattack? Initially, they assured customers that there was no evidence of data being compromised. However, after further investigation, it turns out that some customer data was indeed impacted, including names, contact details, email addresses, and home addresses.
A Quick Recap of the Cyberattack
The attack was first made public on September 2nd, and since then, TfL staff has been dealing with system outages and disruptions. This includes the inability to respond to customer requests submitted via online forms, issue refunds for journeys paid with contactless methods, and more.
As we now know, the impact on customer data was not as minimal as initially thought. According to TfL’s status page, the investigation revealed that certain customer data had been accessed during the cyberattack.
Moreover, the agency discovered that the hackers may have accessed some Oyster card refund data and bank account number and sort codes for approximately 5,000 customers.
Worried about being affected? We can confirm that affected customers are receiving personalized notifications informing them of the data breach, so be sure to check your email to see if you’re among those impacted.
What Does This Mean for TfL Customers?
As TfL continues to work on remediation efforts, some services remain unavailable. Here’s a quick rundown of what you should be aware of as a customer:
- Live Tube arrival info is unavailable on some digital channels, but in-station and journey planning info is still accessible.
- Applications for new Oyster photocards, including Zip cards, are temporarily suspended. If you need to replace a lost card, call 0343 222 1234 (option 1).
- If you can’t apply for a photocard, keep records of your fares; you might be able to get a refund once the cyber incident is resolved.
- Contactless users can’t access their online journey history.
- Refunds for incomplete journeys using contactless payment methods are unavailable. Remember to always touch in/out. Oyster users can manage refunds online.
- Staff has limited system access, causing delays in online responses.
As of now, no ransomware gang has claimed responsibility for the cyberattack on TfL.
A Wake-Up Call for Better Cybersecurity
This incident serves as a reminder that we must be vigilant when it comes to cybersecurity. Businesses and individuals alike should take the necessary steps to protect their data and systems from cyber threats.
As an IT Services expert in cybersecurity, we’re here to help you stay informed and ensure you’re taking the right precautions to protect yourself from cyberattacks. So, don’t hesitate to reach out to us for advice or assistance. And keep coming back to learn more about how you can stay one step ahead of cyber threats.
RansomHub Launches Daring Cyberattack on Kawasaki, Warns of Massive Data Leak
Fortinet Acknowledges Massive Data Breach: Hacker Boasts Theft of 440GB Files
Transport for London Reveals Alarming Cyberattack: Customer Data Compromised
Flagstar Bank’s Latest Data Breach: 800,000 Customers Impacted, Marking the Third Incident of 2021
Blackbaud: Taking Responsibility with a Landmark $49.5 Million Settlement for Devastating Ransomware Data Breach
Top Data Protection Officer Certification Courses Reviewed
Malware11 months agoFlagstar Bank’s Latest Data Breach: 800,000 Customers Impacted, Marking the Third Incident of 2021
- Malware11 months ago
Blackbaud: Taking Responsibility with a Landmark $49.5 Million Settlement for Devastating Ransomware Data Breach
- Data Protection Regulations10 months ago
Top Data Protection Officer Certification Courses Reviewed
- Security Audits and Assessments10 months ago
Mastering Healthcare Data Security: 5 Essential Audit Tips
- Data Protection Regulations10 months ago
Top 11 Data Protection Training Programs for Compliance
- Data Protection Regulations10 months ago
Navigating Data Protection Laws for Nonprofits
- Data Protection Regulations10 months ago
9 Best Insights: CCPA’s Influence on Data Security
- Security Audits and Assessments10 months ago
HIPAA Security Risk Assessment: Essential Steps Checklist
