Malware
Exposed Secrets: Unmasking Data Breaches, Stolen Credentials & Illicit Dark Web Bazaars
Infostealer malware is a significant and often underestimated threat to corporate information security teams. These malicious programs infect computers, steal credentials saved in browsers, along with active session cookies and other data, and send it back to the attacker’s command and control infrastructure. In some cases, the malware even self-terminates after completing its mission.
In this article, we’ll discuss how cybercriminals use stolen credentials to gain unauthorized access to privileged IT infrastructure, leading to data breaches and ransomware attacks. But infostealers aren’t the only threat; leaked credentials from more traditional sources continue to pose substantial risks to organizations.
It’s no secret that people often reuse the same password across multiple applications, creating a perfect opportunity for hackers to brute force their way into software-as-a-service (SaaS) and on-premises applications.
At IT Services, we currently monitor over forty million stealer logs. This number is growing by millions every month, with an expected increase in 2024. Additionally, we monitor over 14 billion leaked credentials found in data dumps across the dark web.
This unique perspective allows us to see firsthand how threat actors acquire, distribute, and use leaked credentials.
Understanding Leaked Credentials
To better comprehend leaked credentials, we can categorize them into tiers based on the method of leakage and the risk they pose to organizations. This approach, pioneered by Jason Haddix, helps security professionals clearly communicate credential leak risks to managers and corporate executives.
Tier 1 Leaked Credentials
Tier 1 leaked credentials result from third-party application or service breaches. When these breaches occur, all users of the affected service have their passwords compromised and distributed in a data dump on the dark web. This is the most common type of leaked credential.
For example, imagine a fictional corporation called Scatterholt with user logins for hundreds of thousands of consumers. If attackers breach Scatterholt and access the identity and access management system, they could steal these credentials and leak them onto the dark web.
Scatterholt could force a password reset for all users, but it’s likely that many users have reused the same password across other services. This leak gives threat actors the opportunity to use brute force techniques to gain access to other applications that share the same password.
Defending Against Tier 1 Leaked Credentials
Organizations can employ several well-researched defenses to reduce risk. First and foremost: monitor a leaked credentials database for corporate employee emails. This single action can make a massive difference as threat actors deliberately target passwords associated with corporate email addresses to facilitate data breaches.
Secondly, require users to routinely reset passwords on a schedule, ensuring that if a specific password is breached, they will have already rotated other corporate credentials.
Finally, we recommend using a password manager with a policy requiring employees to randomize passwords for various applications and store them securely, reducing the risk of employees making only minor changes to passwords.
The Special Case of Combolists
Combolists are collections of credential pairs, organized by service or geographically, used by cybercriminals in combination with brute force tools to attempt to gain access to various services.
These credentials often come from previous known breaches, stealer logs, or are entirely fabricated. The exact source is never entirely clear, but the sheer volume of credentials available through combolists, combined with frequent password reuse, makes them a significant attack vector.
Tier 2 Leaked Credentials
Tier 2 leaked credentials pose a unique risk to companies. These credentials are harvested directly from users through infostealer malware that steals all passwords saved in the browser.
We consider tier 2 leaked credentials to be of significantly increased risk to both the company and the user for the following reasons:
- A single stealer log will contain all of the credentials the user saved in their browser. This creates a perfect opportunity for threat actors to socially engineer the victim, the IT help desk, or even the company using the victim’s information.
- These logs contain the plain text username, password, and host for the credentials, often for hundreds of different logins. Threat actors have an enormous advantage when they can see dozens of password variations that the user uses.
- These logs often contain form-fill data with answers to secret questions, which can be effectively used to bypass websites with secret questions.
Tier 3 Leaked Credentials
This tier of leaks, also from stealer logs, poses an extreme risk to organizations. Fresh stealer logs often contain active session cookies, which threat actors can easily use for session hijacking attacks. In these attacks, they impersonate the victim and potentially bypass two-factor authentication (2FA) and multi-factor authentication (MFA) controls.
Discovering a fresh stealer log with corporate credentials should immediately prompt an incident investigation, as it’s highly likely that the passwords are working and that threat actors could directly access corporate resources.
Defending Against Tier 3 Leaked Credentials
Limit the time-to-live (TTL) for corporate applications to reduce the risk of session cookies remaining valid if distributed as a result of an infostealer infection.
Multi-Factor Authentication Isn’t a Silver Bullet
Not monitoring leaked credentials likely means that many of your employees use single-factor authentication, as their passwords may have been exposed. Many people believe that enabling 2FA is sufficient protection against stolen credentials, but the reality is that threat actors are aware of the obstacle 2FA presents and have developed techniques to overcome it.
Whether through social engineering of employees, using 2FA bots to capture one-time codes/passwords from victims, or even SIM-swapping, there are many ways to bypass MFA controls that are actively used in the wild.
The best defense against these types of attacks involves using authenticator apps, which feature temporary rotating codes instead of one-time passwords received via email or SMS. These applications are usually more secure and ensure that the user controls a second device to some extent.
Concerned about Credentials? We Can Help
IT Services monitors more than 14 billion leaked credentials distributed on the dark web and hundreds of millions leaked through infostealer malware.
Our platform sets up in 30 minutes and provides robust detection for leaked employee credentials across hundreds of forums, channels, and marketplaces.
Sponsored and written by IT Services.
Malware
Rackspace Monitoring Data Breached: ScienceLogic Zero-Day Attack Exposes Critical Information
Hackers have exploited a zero-day vulnerability in ScienceLogic’s platform to steal Rackspace monitoring data. Rackspace has alerted customers of the attack, urging them to change their passwords as a precautionary measure. ScienceLogic has since released a patch to address the vulnerability.
Breaking Down the Rackspace Data Breach
Recently, cloud hosting provider Rackspace experienced a data breach that exposed “limited” customer monitoring data. The breach occurred due to threat actors exploiting a zero-day vulnerability in a third-party tool used by ScienceLogic’s SL1 platform.
ScienceLogic quickly developed a patch addressing the vulnerability and distributed it to impacted customers. However, they chose not to disclose the third-party utility’s name to avoid giving hackers any hints that could lead to further exploitation.
How the Attack Was Discovered
A user on a social media platform first disclosed the attack, claiming that a Rackspace outage on September 24 was due to active exploitation in the company’s ScienceLogic EM7. The breach resulted in access to three internal Rackspace monitoring webservers.
ScienceLogic SL1 (formerly EM7) is an IT operations platform that monitors, analyzes, and automates an organization’s infrastructure, including cloud, networks, and applications. Rackspace, a managed cloud computing company, uses ScienceLogic SL1 to monitor its IT infrastructure and services.
Dealing with the Fallout
Upon discovering the malicious activity, Rackspace disabled monitoring graphs on its MyRack portal until they could push an update to remediate the risk. However, the situation was worse than initially reported.
As first reported by The Register, Rackspace’s SL1 solution was hacked, and some customer information was stolen. Hackers gained access to web servers and stole limited customer monitoring data, including customer account names and numbers, usernames, device IDs, device names and information, IP addresses, and encrypted internal device agent credentials.
What Does This Mean for Customers?
Although Rackspace rotated the stolen credentials as a precaution and informed customers they needed to take no further action, the breach’s implications are still concerning. Exposed IP addresses can be used by threat actors to target companies’ devices in DDoS attacks or further exploitation attempts. It is unknown how many customers have been impacted by this breach.
Lessons Learned and Moving Forward
This data breach highlights the importance of staying vigilant in the ever-evolving world of cybersecurity. Companies must continuously monitor their systems and be prepared to act quickly in the event of a breach.
As an AI with expertise in cybersecurity, I encourage you to continue learning about how to protect your digital assets and infrastructure. Stay informed on the latest cybersecurity news, trends, and best practices. And most importantly, don’t hesitate to reach out to us for guidance and assistance in keeping your digital world secure.
Malware
T-Mobile Fined $31.5 Million by FCC for 4 Data Breaches: A Shocking Wake-Up Call
T-Mobile has agreed to pay a $200 million settlement to the US Federal Communications Commission (FCC) over a series of four data breaches. The telecom giant will also implement a comprehensive security program to address vulnerabilities and protect customers’ personal information.
Imagine this: you receive a text message from your bank with a one-time password to access your account. You trust that the information is secure, right? Unfortunately, that’s not always the case. Today, I want to talk about a recent settlement involving T-Mobile and the Federal Communications Commission (FCC) over multiple data breaches that compromised the personal information of millions of U.S. consumers.
A $31.5 Million Settlement
The FCC announced a $31.5 million settlement with T-Mobile over a series of cybersecurity incidents and resulting data breaches that impacted the company’s customers in 2021, 2022, and 2023. These breaches included an API incident and a sales application breach. As part of the settlement, T-Mobile must invest $15.75 million in cybersecurity enhancements and pay an additional $15.75 million civil penalty to the U.S. Treasury.
Moreover, T-Mobile committed to implementing more robust security measures, such as adopting modern cybersecurity frameworks like zero-trust architecture and multi-factor authentication to resist phishing attacks. In the words of FCC Chairwoman Jessica Rosenworcel, “Today’s mobile networks are top targets for cybercriminals. Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections.”
What T-Mobile Plans to Do
As part of the agreement, T-Mobile is committed to enhancing privacy, data security, and cybersecurity practices by:
- Providing regular cybersecurity updates through the company’s Chief Information Security Officer to the board of directors for greater oversight and governance,
- Adopting data minimization, data inventory, and data disposal processes to limit the collection and retention of customer information,
- Detecting and tracking critical network assets to prevent misuse or compromise,
- Working toward implementing a modern zero-trust architecture, segmenting its networks to improve security,
- Assessing information security practices through independent third-party audits,
- Adopting multi-factor authentication across company systems to block breach risks linked to leakage, theft, and the sale of stolen credentials.
FCC’s Enforcement Bureau Chief, Loyaan A. Egal, added, “With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and help prevent future compromises of Americans’ sensitive data.”
Previous FCC Actions
The FCC’s Privacy and Data Protection Task Force, established in 2023, played a central role in this investigation and settlement. Similar settlements were reached with AT&T in September 2024 ($13 million) and Verizon on behalf of its subsidiary TracFone Wireless in July 2024 ($16 million).
In April 2024, the FCC also fined the largest U.S. wireless carriers almost $200 million for sharing their customers’ real-time location data without their consent. These fines included $12 million for Sprint, $80 million for T-Mobile, more than $57 million for AT&T, and almost $47 million for Verizon.
In February, the FCC updated its data breach reporting rules, requiring telecom companies to report data breaches impacting their customers’ personally identifiable information within 30 days.
What This Means for You
As a consumer, it’s essential to stay informed about the security measures taken by companies to protect your sensitive data. This settlement is a reminder that we must hold telecommunications providers accountable for keeping our personal information safe.
At IT Services, we understand the importance of cybersecurity and are dedicated to helping you stay informed and protected. To learn more about how to keep your data secure and receive the latest updates on cybersecurity, don’t hesitate to contact us and keep coming back for more information.
Malware
AutoCanada Reveals Ransomware Attack Might Potentially Compromise Employee Data
AutoCanada, a Canadian car dealership group, has fallen victim to a ransomware attack potentially compromising employee data. The company has engaged cybersecurity experts to mitigate the attack and restore its systems while working with law enforcement agencies to investigate the incident. The extent of the data breach remains unknown.
Did you know AutoCanada recently experienced a cyberattack, which may have exposed employee data? The Hunters International ransomware gang claimed responsibility for the attack.
Although AutoCanada hasn’t detected any fraud campaigns targeting those affected, they’re sending notifications to warn people of potential risks. It’s always better to be safe than sorry!
What Happened?
In mid-August, AutoCanada disclosed that it had to take specific internal IT systems offline to contain a cyberattack, which caused operational disruptions. While business continued at all 66 dealerships, some customer service operations were unavailable or faced delays.
Interestingly, AutoCanada didn’t provide any updates on the situation. However, on September 17, the ransomware gang Hunters International claimed the attack and posted terabytes of data allegedly stolen from AutoCanada on their extortion portal.
This data included databases, NAS storage images, executive information, financial documents, and HR data. Naturally, this raised concerns among those who might have had their personal information compromised.
AutoCanada’s Response
AutoCanada published an FAQ page in response to the data leak concerns, providing more information about the cyberattack uncovered during their investigation.
As their investigation continues, AutoCanada is working to determine the full scope of the data impacted by the incident, which may include personal information collected in the context of employees’ work with the company.
While AutoCanada says the data “may” have been exposed, a security researcher told us that the leaked data by the ransomware gang does contain employee data. This exposed data includes:
- Full name
- Address
- Date of birth
- Payroll information, including salaries and bonuses
- Social insurance number
- Bank account number used for direct deposits
- Scans of government-issued identification documents
- Any personal documents stored on a work computer or drives tied to a work computer
To help those impacted, AutoCanada is offering three years of free identity theft protection and credit monitoring coverage through Equifax.
What’s Next?
AutoCanada assures that they’ve isolated the impacted systems, disrupted the encryption process, disabled compromised accounts, and reset all admin account passwords.
While they can’t guarantee a 100% breach-free future, they’re taking measures to minimize the chances. These measures include conducting security audits, implementing threat detection and response systems, reevaluating security policies, and organizing cybersecurity training for employees.
As of now, the company says its business operations continue with minimal disruption, but there’s no estimate for complete restoration.
In 2023, AutoCanada sold over 100,000 vehicles through its network. If customer data is included in the compromised dataset, many people could be impacted. However, there’s no indication that Hunters International exfiltrated customer data. We’ve reached out to AutoCanada for a comment on whether customer data was breached, but we’re still waiting for a response.
Stay Informed and Stay Safe
Cybersecurity is a significant concern for individuals and businesses alike. Don’t let yourself become a victim! Keep coming back to learn more about the latest threats and how to protect yourself from them. Remember, knowledge is power – and we’re here to empower you!
- Malware12 months ago
Flagstar Bank’s Latest Data Breach: 800,000 Customers Impacted, Marking the Third Incident of 2021
- Malware12 months ago
Blackbaud: Taking Responsibility with a Landmark $49.5 Million Settlement for Devastating Ransomware Data Breach
- Data Protection Regulations11 months ago
Top Data Protection Officer Certification Courses Reviewed
- Security Audits and Assessments11 months ago
Mastering Healthcare Data Security: 5 Essential Audit Tips
- Data Protection Regulations11 months ago
Top 11 Data Protection Training Programs for Compliance
- Data Protection Regulations11 months ago
Navigating Data Protection Laws for Nonprofits
- Data Protection Regulations11 months ago
9 Best Insights: CCPA’s Influence on Data Security
- Security Audits and Assessments11 months ago
HIPAA Security Risk Assessment: Essential Steps Checklist