Connect with us

Malware

Exposed Secrets: Unmasking Data Breaches, Stolen Credentials & Illicit Dark Web Bazaars

Published

on

Person typing on a keyboard

Infostealer malware is a significant and often underestimated threat to corporate information security teams. These malicious programs infect computers, steal credentials saved in browsers, along with active session cookies and other data, and send it back to the attacker’s command and control infrastructure. In some cases, the malware even self-terminates after completing its mission.

In this article, we’ll discuss how cybercriminals use stolen credentials to gain unauthorized access to privileged IT infrastructure, leading to data breaches and ransomware attacks. But infostealers aren’t the only threat; leaked credentials from more traditional sources continue to pose substantial risks to organizations.

It’s no secret that people often reuse the same password across multiple applications, creating a perfect opportunity for hackers to brute force their way into software-as-a-service (SaaS) and on-premises applications.

At IT Services, we currently monitor over forty million stealer logs. This number is growing by millions every month, with an expected increase in 2024. Additionally, we monitor over 14 billion leaked credentials found in data dumps across the dark web.

This unique perspective allows us to see firsthand how threat actors acquire, distribute, and use leaked credentials.

Understanding Leaked Credentials

To better comprehend leaked credentials, we can categorize them into tiers based on the method of leakage and the risk they pose to organizations. This approach, pioneered by Jason Haddix, helps security professionals clearly communicate credential leak risks to managers and corporate executives.

Tier 1 Leaked Credentials

Tier 1 leaked credentials result from third-party application or service breaches. When these breaches occur, all users of the affected service have their passwords compromised and distributed in a data dump on the dark web. This is the most common type of leaked credential.

For example, imagine a fictional corporation called Scatterholt with user logins for hundreds of thousands of consumers. If attackers breach Scatterholt and access the identity and access management system, they could steal these credentials and leak them onto the dark web.

Scatterholt could force a password reset for all users, but it’s likely that many users have reused the same password across other services. This leak gives threat actors the opportunity to use brute force techniques to gain access to other applications that share the same password.

Defending Against Tier 1 Leaked Credentials

Organizations can employ several well-researched defenses to reduce risk. First and foremost: monitor a leaked credentials database for corporate employee emails. This single action can make a massive difference as threat actors deliberately target passwords associated with corporate email addresses to facilitate data breaches.

Secondly, require users to routinely reset passwords on a schedule, ensuring that if a specific password is breached, they will have already rotated other corporate credentials.

Finally, we recommend using a password manager with a policy requiring employees to randomize passwords for various applications and store them securely, reducing the risk of employees making only minor changes to passwords.

The Special Case of Combolists

Combolists are collections of credential pairs, organized by service or geographically, used by cybercriminals in combination with brute force tools to attempt to gain access to various services.

Screenshot of combolist
Screenshot of combolist
Source: IT Services

These credentials often come from previous known breaches, stealer logs, or are entirely fabricated. The exact source is never entirely clear, but the sheer volume of credentials available through combolists, combined with frequent password reuse, makes them a significant attack vector.

Tier 2 Leaked Credentials

Tier 2 leaked credentials pose a unique risk to companies. These credentials are harvested directly from users through infostealer malware that steals all passwords saved in the browser.

We consider tier 2 leaked credentials to be of significantly increased risk to both the company and the user for the following reasons:

  • A single stealer log will contain all of the credentials the user saved in their browser. This creates a perfect opportunity for threat actors to socially engineer the victim, the IT help desk, or even the company using the victim’s information.
  • These logs contain the plain text username, password, and host for the credentials, often for hundreds of different logins. Threat actors have an enormous advantage when they can see dozens of password variations that the user uses.
  • These logs often contain form-fill data with answers to secret questions, which can be effectively used to bypass websites with secret questions.

Screenshot of the information stealer logs can contain, including cookies, passwords, and other sensitive information
Screenshot of the information stealer logs can contain, including cookies, passwords, and other sensitive information
Source: IT Services

Tier 3 Leaked Credentials

This tier of leaks, also from stealer logs, poses an extreme risk to organizations. Fresh stealer logs often contain active session cookies, which threat actors can easily use for session hijacking attacks. In these attacks, they impersonate the victim and potentially bypass two-factor authentication (2FA) and multi-factor authentication (MFA) controls.

Discovering a fresh stealer log with corporate credentials should immediately prompt an incident investigation, as it’s highly likely that the passwords are working and that threat actors could directly access corporate resources.

Screenshot from Telegram of a malware store
Screenshot from Telegram of a malware store
Source: IT Services

Defending Against Tier 3 Leaked Credentials

Limit the time-to-live (TTL) for corporate applications to reduce the risk of session cookies remaining valid if distributed as a result of an infostealer infection.

Multi-Factor Authentication Isn’t a Silver Bullet

Not monitoring leaked credentials likely means that many of your employees use single-factor authentication, as their passwords may have been exposed. Many people believe that enabling 2FA is sufficient protection against stolen credentials, but the reality is that threat actors are aware of the obstacle 2FA presents and have developed techniques to overcome it.

Whether through social engineering of employees, using 2FA bots to capture one-time codes/passwords from victims, or even SIM-swapping, there are many ways to bypass MFA controls that are actively used in the wild.

The best defense against these types of attacks involves using authenticator apps, which feature temporary rotating codes instead of one-time passwords received via email or SMS. These applications are usually more secure and ensure that the user controls a second device to some extent.

Concerned about Credentials? We Can Help

IT Services monitors more than 14 billion leaked credentials distributed on the dark web and hundreds of millions leaked through infostealer malware.

Our platform sets up in 30 minutes and provides robust detection for leaked employee credentials across hundreds of forums, channels, and marketplaces.

Check out our free trial.

Sponsored and written by IT Services.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Malware

ALPHV Ransomware Strikes: LoanDepot and Prudential Financial Suffer Devastating Breaches

AlphV ransomware operators claim to have breached loanDepot and Prudential Financial, allegedly exfiltrating sensitive data. Both companies are investigating the incidents, emphasizing the need for strong cybersecurity measures in the finance sector. Learn more about the AlphV ransomware group’s attack methods and the potential impact on these financial institutions.

Published

on

A man in a hoodie with a laptop in front of a city, representing the growing threat of ALPHV Ransomware.

A Recent Cybersecurity Breach: What Happened?

Did you hear about the recent ransomware attack on Prudential Financial and loanDepot? The ALPHV/Blackcat cyber gang has claimed responsibility for these breaches. The two companies were recently added to ALPHV’s dark web leak site, and the cybercriminals have some unsettling plans.

For loanDepot, the attackers plan to sell the stolen data, while for Prudential, they intend to release the data for free after failed negotiations. Let’s take a closer look at the impact of these breaches on the companies and their customers.

loanDepot: Mortgage Lender in Trouble

loanDepot, one of the largest U.S. nonbank retail mortgage lenders, confirmed a ransomware attack on January 8th. At least 16.6 million people had their personal information stolen in this attack. The company has since announced that it will notify those impacted and provide them with free credit monitoring and identity protection services.

Prudential Financial: Employee and Contractor Data Stolen

Prudential Financial, the second-largest life insurance company in the U.S., also fell victim to a network breach. The company revealed that a suspected cybercrime group breached its network on February 4th and stole employee and contractor data. So far, there’s no evidence that customer or client data was also stolen, but an ongoing investigation is assessing the full scope and impact of the incident.

Who’s Behind This?

The ALPHV gang, believed to be a rebrand of the DarkSide and BlackMatter ransomware operations, is responsible for these attacks. You might remember this group from the notorious Colonial Pipeline attack, which led to extensive investigations by law enforcement agencies worldwide. The gang has since gone through two rebrands.

A Call to Action: Stop ALPHV

The U.S. State Department recently announced rewards of up to $10 million for tips that could lead to the identification or location of ALPHV gang leaders. Additionally, a $5 million reward is offered for information on individuals linked to or attempting to participate in ALPHV ransomware attacks.

The FBI has linked the group to over 60 breaches worldwide during its first four months of activity. They estimate that ALPHV has raked in at least $300 million in ransom payments from over 1,000 victims until September 2023.

What Can We Learn From This?

These recent breaches serve as a stark reminder of the importance of cybersecurity for businesses and individuals alike. The threats posed by cybercriminals are ever-evolving, and staying informed is key to protecting yourself and your data.

At IT Services, we’re committed to keeping you updated on the latest cybersecurity news and helping you stay protected. Don’t hesitate to contact us for guidance and support. And remember, keep coming back to learn more about how to stay safe in the digital world!

Continue Reading

Malware

Integris Health Reveals Massive Data Breach Affecting 2.4 Million Patients: Urgent Update

Integris Health has reported a data breach that impacted 2.4 million patients. The breach was linked to the theft of an employee’s laptop and two hard drives, which contained personal data such as names, addresses, and medical information. Integris has not yet announced any plans to provide identity theft protection to affected patients.

Published

on

A nurse at Integris Health is walking down a hallway, attending to patients.

A Massive Data Breach Hits Oklahoma’s Largest Healthcare Network

Integris Health, Oklahoma’s largest not-for-profit healthcare network, recently revealed the extent of a data breach it suffered last November. The breach exposed the personal information of nearly 2.4 million people, making it a significant incident that demands attention.

Patients Receive Extortion Emails as a Result of the Breach

In December 2023, Integris Health confirmed it had suffered a cyberattack after patients started receiving extortion emails. These emails contained sensitive personal information and threatened that the stolen data would be sold to other cybercriminals unless the healthcare organization met the attacker’s demands by January 5, 2024.

Interestingly, the attackers claimed that their attack did not involve encryption, and they only stole the data. As a result, Integris Health’s network remained functional, allowing them to continue providing services to patients.

Stolen Patient Data Available on the Dark Web

The emails that patients received included accurate information and linked to a website on the Tor network hosting the stolen details. However, access to this information was not free. Visitors could either pay $50 and take the attacker’s word that their details would be removed, or pay $3 to view information belonging to any other impacted individual.

What Kind of Data Was Leaked?

In a recent notification, Integris Health confirmed the types of patient data impacted by the breach:

  • Full name
  • Date of birth
  • Contact information
  • Demographic information
  • Social Security Number (SSN)

Fortunately, the leaked data did not involve employment information, driver’s licenses, account credentials (usernames and passwords), or financial information.

A Dark Web Marketplace and the Number of Affected Patients

The attackers claimed they were selling data for 2.3 million Integris patients on a dark web marketplace. However, the U.S. Department of HHS Office for Civil Rights (OCR) portal now shows that the number of impacted Integris Health patients is actually 2,385,646.

What’s Next for the Affected Patients?

Integris Health says all affected patients will receive individual notifications. They encourage recipients to remain vigilant and report any identity theft or fraud attempts as soon as possible.

The organization has also published an FAQ in the form of a PDF that offers additional information about the incident, its impact on patients, and protective steps they can take.

Be Prepared for the Aftermath

It’s essential to remember that the deadline set by the threat actor for Integris Health to pay a ransom has long passed, meaning the stolen data has likely been sold or shared with other cybercriminals. These criminals could use the information for various scams, phishing, or other types of attacks.

Stay Informed and Stay Protected

As an IT Services expert, we’re here to help you stay informed about cybersecurity threats and offer guidance on how to protect yourself and your organization. Contact us to keep learning more and ensure you’re prepared for the ever-evolving landscape of cybersecurity.

Continue Reading

Malware

Bank of America Alerts Clients of Data Breach Following Devastating Vendor Hack

Bank of America (BoA) has issued a data breach warning to customers after a third-party vendor suffered a cyber attack. BoA disclosed that customers’ Paycheck Protection Program (PPP) loan application data was exposed, including contact information and Social Security numbers. BoA is offering free identity theft protection services to affected customers.

Published

on

A Bank of America sign against a backdrop of a blue sky.

Bank of America warns customers of data breach

Imagine you’re settling in for the evening, ready to unwind after a long day at work, and you receive an email from your bank. The subject line reads “Important: Data Breach Notification.” Your heart sinks. What’s going on? Well, that’s the situation many Bank of America customers are currently facing after the bank recently warned them of a data breach that exposed their personal information due to a service provider getting hacked last year.

The exposed data includes names, addresses, social security numbers, dates of birth, and financial information, such as account and credit card numbers. While the exact number of affected customers remains undisclosed, Infosys McCamish Systems (IMS), the vendor whose systems were compromised, reported that 57,028 individuals had their data exposed in the incident. To put this into perspective, Bank of America serves approximately 69 million clients across the globe.

How did this happen?

IMS, a subsidiary of IT consulting giant Infosys, experienced a cybersecurity event in early November 2023 when an unauthorized third party accessed its systems. This resulted in the non-availability of certain IMS applications, and on November 24, IMS informed Bank of America that data concerning deferred compensation plans serviced by the bank may have been compromised. It’s essential to note that Bank of America’s own systems were not breached in this incident.

Unfortunately, it is unlikely that we’ll ever know for sure what personal information was accessed during this breach at IMS.

The LockBit ransomware attack on IMS

So who’s behind this attack? The LockBit ransomware gang claimed responsibility for the IMS breach, stating that its operators encrypted over 2,000 systems during the attack. Since its emergence in September 2019, the LockBit ransomware-as-a-service (RaaS) operation has targeted many high-profile organizations.

In June, cybersecurity authorities in the United States and partners worldwide released a joint advisory estimating that the LockBit gang has extorted at least $91 million from U.S. organizations following roughly 1,700 attacks since 2020.

What’s next?

As a Bank of America customer, or any bank customer for that matter, you might be wondering what you can do to protect yourself from such incidents in the future. While the banks and their service providers should take the utmost precautions to safeguard your data, there’s no harm in taking some steps on your own to ensure your information remains secure.

Regularly monitor your account statements for any suspicious activity, strengthen your passwords, and be cautious about sharing personal information online. You can also consider using credit monitoring services to stay informed about any potential identity theft threats.

Stay informed and stay protected

At IT Services, we understand how important it is to stay updated on the latest cybersecurity threats and best practices. That’s why we’re committed to keeping you informed and providing expert advice to help keep your personal data secure.

So why not stay connected with us? Together, we can navigate the ever-evolving cybersecurity landscape and work towards a more secure digital future. Contact us or keep coming back to learn more about how you can protect yourself and your data from cyber threats.

Continue Reading

Trending

Copyright © 2023 IT Services Network.