Connect with us

Malware

Exposed Secrets: Unmasking Data Breaches, Stolen Credentials & Illicit Dark Web Bazaars

Published

on

Person typing on a keyboard

Infostealer malware is a significant and often underestimated threat to corporate information security teams. These malicious programs infect computers, steal credentials saved in browsers, along with active session cookies and other data, and send it back to the attacker’s command and control infrastructure. In some cases, the malware even self-terminates after completing its mission.

In this article, we’ll discuss how cybercriminals use stolen credentials to gain unauthorized access to privileged IT infrastructure, leading to data breaches and ransomware attacks. But infostealers aren’t the only threat; leaked credentials from more traditional sources continue to pose substantial risks to organizations.

It’s no secret that people often reuse the same password across multiple applications, creating a perfect opportunity for hackers to brute force their way into software-as-a-service (SaaS) and on-premises applications.

At IT Services, we currently monitor over forty million stealer logs. This number is growing by millions every month, with an expected increase in 2024. Additionally, we monitor over 14 billion leaked credentials found in data dumps across the dark web.

This unique perspective allows us to see firsthand how threat actors acquire, distribute, and use leaked credentials.

Understanding Leaked Credentials

To better comprehend leaked credentials, we can categorize them into tiers based on the method of leakage and the risk they pose to organizations. This approach, pioneered by Jason Haddix, helps security professionals clearly communicate credential leak risks to managers and corporate executives.

Tier 1 Leaked Credentials

Tier 1 leaked credentials result from third-party application or service breaches. When these breaches occur, all users of the affected service have their passwords compromised and distributed in a data dump on the dark web. This is the most common type of leaked credential.

For example, imagine a fictional corporation called Scatterholt with user logins for hundreds of thousands of consumers. If attackers breach Scatterholt and access the identity and access management system, they could steal these credentials and leak them onto the dark web.

Scatterholt could force a password reset for all users, but it’s likely that many users have reused the same password across other services. This leak gives threat actors the opportunity to use brute force techniques to gain access to other applications that share the same password.

Defending Against Tier 1 Leaked Credentials

Organizations can employ several well-researched defenses to reduce risk. First and foremost: monitor a leaked credentials database for corporate employee emails. This single action can make a massive difference as threat actors deliberately target passwords associated with corporate email addresses to facilitate data breaches.

Secondly, require users to routinely reset passwords on a schedule, ensuring that if a specific password is breached, they will have already rotated other corporate credentials.

Finally, we recommend using a password manager with a policy requiring employees to randomize passwords for various applications and store them securely, reducing the risk of employees making only minor changes to passwords.

The Special Case of Combolists

Combolists are collections of credential pairs, organized by service or geographically, used by cybercriminals in combination with brute force tools to attempt to gain access to various services.

Screenshot of combolist
Screenshot of combolist
Source: IT Services

These credentials often come from previous known breaches, stealer logs, or are entirely fabricated. The exact source is never entirely clear, but the sheer volume of credentials available through combolists, combined with frequent password reuse, makes them a significant attack vector.

Tier 2 Leaked Credentials

Tier 2 leaked credentials pose a unique risk to companies. These credentials are harvested directly from users through infostealer malware that steals all passwords saved in the browser.

We consider tier 2 leaked credentials to be of significantly increased risk to both the company and the user for the following reasons:

  • A single stealer log will contain all of the credentials the user saved in their browser. This creates a perfect opportunity for threat actors to socially engineer the victim, the IT help desk, or even the company using the victim’s information.
  • These logs contain the plain text username, password, and host for the credentials, often for hundreds of different logins. Threat actors have an enormous advantage when they can see dozens of password variations that the user uses.
  • These logs often contain form-fill data with answers to secret questions, which can be effectively used to bypass websites with secret questions.

Screenshot of the information stealer logs can contain, including cookies, passwords, and other sensitive information
Screenshot of the information stealer logs can contain, including cookies, passwords, and other sensitive information
Source: IT Services

Tier 3 Leaked Credentials

This tier of leaks, also from stealer logs, poses an extreme risk to organizations. Fresh stealer logs often contain active session cookies, which threat actors can easily use for session hijacking attacks. In these attacks, they impersonate the victim and potentially bypass two-factor authentication (2FA) and multi-factor authentication (MFA) controls.

Discovering a fresh stealer log with corporate credentials should immediately prompt an incident investigation, as it’s highly likely that the passwords are working and that threat actors could directly access corporate resources.

Screenshot from Telegram of a malware store
Screenshot from Telegram of a malware store
Source: IT Services

Defending Against Tier 3 Leaked Credentials

Limit the time-to-live (TTL) for corporate applications to reduce the risk of session cookies remaining valid if distributed as a result of an infostealer infection.

Multi-Factor Authentication Isn’t a Silver Bullet

Not monitoring leaked credentials likely means that many of your employees use single-factor authentication, as their passwords may have been exposed. Many people believe that enabling 2FA is sufficient protection against stolen credentials, but the reality is that threat actors are aware of the obstacle 2FA presents and have developed techniques to overcome it.

Whether through social engineering of employees, using 2FA bots to capture one-time codes/passwords from victims, or even SIM-swapping, there are many ways to bypass MFA controls that are actively used in the wild.

The best defense against these types of attacks involves using authenticator apps, which feature temporary rotating codes instead of one-time passwords received via email or SMS. These applications are usually more secure and ensure that the user controls a second device to some extent.

Concerned about Credentials? We Can Help

IT Services monitors more than 14 billion leaked credentials distributed on the dark web and hundreds of millions leaked through infostealer malware.

Our platform sets up in 30 minutes and provides robust detection for leaked employee credentials across hundreds of forums, channels, and marketplaces.

Check out our free trial.

Sponsored and written by IT Services.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Malware

Exclusive: New York Times Source Code Hacked – Cybercriminals Exploit Vulnerable GitHub Token

An exposed GitHub token led to hackers stealing the New York Times’ source code. The attackers exploited the misconfigured token to gain access to the newspaper’s private repositories, highlighting the importance of securing GitHub tokens and the risks of leaving sensitive information exposed online.

Published

on

Imagine waking up one day, sipping your coffee, and scrolling through your social media feed only to find out that your company’s sensitive data and source code have been leaked on an online message board. That’s precisely what happened to The New York Times when its internal data was stolen from the company’s GitHub repositories in January 2024 and later leaked on the 4chan message board. And we, at IT Services, are here to tell you all about it.

What Exactly Was Stolen?

As first reported by VX-Underground, an anonymous user posted a torrent containing a whopping 273GB of stolen data from The New York Times Company. This data included “basically all source code,” with around 5,000 repositories and 3.6 million files in total.

From what we can tell, the data stolen spans a wide variety of information, including IT documentation, infrastructure tools, and even source code for the popular Wordle game. The fact that such a diverse range of information was taken highlights the need for robust cybersecurity measures.

How Did This Happen?

According to a ‘readme’ file in the stolen data archive, the threat actor responsible for this breach managed to access the company’s repositories using an exposed GitHub token. In a statement provided to us, The Times confirmed that the breach occurred in January 2024 after credentials for a cloud-based third-party code platform (which was later revealed to be GitHub) were exposed.

“The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity.”

❖ The New York Times

It’s important to note that The Times stated that the breach of its GitHub account didn’t affect its internal corporate systems and had no impact on its operations, which is a small silver lining in this story.

Not the Only One

Interestingly, The Times’ leak wasn’t the only one that happened on 4chan that week. The first leak involved 415MB of stolen internal documents for Disney’s Club Penguin game. We were told by sources that this leak was part of a more significant breach of Disney’s Confluence server, where threat actors stole 2.5 GB of internal corporate data. At this time, it’s unclear if the same person conducted both the New York Times and Disney breaches.

What Can We Learn From This?

The breaches of The New York Times and Disney serve as stark reminders of the importance of robust cybersecurity measures. Companies, big and small, need to invest in their cybersecurity infrastructure and adopt best practices to protect their sensitive data and intellectual property. Remember, it only takes one weak link in the security chain for threat actors to exploit and gain unauthorized access.

If you’re looking for guidance on how to strengthen your cybersecurity defenses or simply want to learn more about the latest threats and trends, don’t hesitate to reach out to us. We’re always here to help you stay one step ahead of the hackers. Keep coming back to learn more!

Continue Reading

Malware

Wake-Up Call: The RansomHub Data Breach Impacting Christie’s Clients

Why You Should Be Concerned About the RansomHub Data Breach



It’s a brisk morning, and just like that, you receive a notification email from a prestigious auction house, Christie’s. You’re a valued client, and they’re letting you know that your sensitive personal information has been compromised in a recent data breach. You’re not alone – countless other clients have received similar notifications. The culprit? A cybercriminal group called RansomHub. This is a wake-up call, my friend, and it’s time to talk about cybersecurity.



Inside the RansomHub Data Breach



Imagine a thief breaking into your home and holding your valuable possessions ransom. RansomHub operates similarly, but in the digital world. They infiltrate a company’s network, steal sensitive data, and demand a hefty ransom in exchange for not leaking the information. In Christie’s case, they couldn’t prevent the breach. Their clients’ data, including names, addresses, and financial information, is now at risk. The question isn’t whether or not you should be worried—it’s how worried you should be.



Why This Matters to You



It’s not just about Christie’s clients. The fact is, data breaches are becoming more and more common. In 2021 alone, there were over 1,200 reported data breaches, impacting over 300 million individuals in the U.S. It’s clear that no one is immune, and everyone needs to take cybersecurity more seriously. Even if you haven’t been directly affected by the RansomHub breach, it’s a stark reminder that your personal information could be at risk at any moment.



What You Can Do to Protect Yourself



Feel like you’re being followed in a dark alley? It’s time to take action. Here are some simple steps you can take to safeguard your sensitive data:




  1. Regularly update your passwords: Use different, complex passwords for each of your accounts and change them periodically.

  2. Enable multi-factor authentication: Add an extra layer of security by requiring a unique code or fingerprint to access your accounts.

  3. Monitor your accounts closely: Keep an eye out for any suspicious activity or unauthorized access to your accounts.

  4. Stay informed about the latest cybersecurity threats: Knowledge is power, so keep up-to-date with the latest news on data breaches and cybersecurity trends.



Together, We Can Combat Cybersecurity Threats



It’s time to step up and protect ourselves, our businesses, and our personal information from cybercriminals like RansomHub. By staying informed, taking proactive steps to safeguard our data, and encouraging others to do the same, we can make a difference in the fight against cybercrime.



Don’t let this wake-up call go unanswered. Contact us today to learn more about how you can protect yourself from data breaches and keep coming back for the latest cybersecurity updates.

Why Cybersecurity Matters: A Personal Insight

Picture this: You’re sitting in your favorite coffee shop, sipping on a latte, and catching up on your emails. You click on a seemingly harmless message, and suddenly, you’re locked out of your account. Your passwords have been compromised, and your personal information is at risk. Sounds terrifying, right? Well, it’s time we talk about cybersecurity and why it’s essential in today’s digital world.

Understanding the Threat Landscape

Think of cybersecurity like a game of chess. To win, you need to understand the board and anticipate your opponent’s moves. In the digital realm, your opponents are cybercriminals, and their moves are constantly changing. According to Cybersecurity Ventures, cybercrime is predicted to cost the world $10.5 trillion annually by 2025, a staggering figure that highlights the importance of staying ahead of these threats.

So, Who’s At Risk?

The short answer? Everyone. From individuals to large corporations, no one is immune to cyberattacks. A recent high-profile example is the Christie’s Ransomhub data breach, where the esteemed auction house’s clients had their personal information exposed. It just goes to show that even well-established organizations can fall victim to cybercrime.

Protecting Your Digital Kingdom

Imagine your digital life as a castle. You need to fortify it with strong walls, a moat, and guards to keep intruders at bay. Here are some simple steps to help protect your online identity:

  1. Use strong, unique passwords for all your accounts, and consider using a password manager to keep track of them.
  2. Enable two-factor authentication wherever possible, adding an extra layer of security.
  3. Keep your software up to date, as outdated software can be vulnerable to attacks.
  4. Be cautious with public Wi-Fi, and consider using a VPN to encrypt your data while connected to unsecured networks.
  5. Stay informed about the latest threats and how to protect yourself from them.

A Call to Action

Now that you know the importance of cybersecurity and how to defend your digital castle, it’s time for action. Stay vigilant, and don’t let your guard down. And remember, we’re here to help you navigate the ever-evolving world of cybersecurity. So reach out to us with any questions, concerns, or if you just want to learn more. Let’s work together to protect your digital kingdom!

Published

on

Imagine having your sensitive personal information exposed to the world. That’s the reality for many individuals who’ve fallen victim to the RansomHub ransomware gang, and one of their recent targets was the British auction house Christie’s.

Christie’s Suffers Security Breach

On May 9, 2024, Christie’s discovered a security breach that affected some of its systems. They immediately took measures to secure their network and called in external cybersecurity experts to help investigate the incident’s impact. The auction house also notified law enforcement and is now working to support their investigation.

During the analysis of the breach, Christie’s found that a threat actor accessed and extracted customer files between May 8 and May 9. Following the investigation, Christie’s reviewed the accessed files to identify individuals whose information may have been affected, obtain their contact information, and alert them of the incident after completing the review on May 30.

In the data breach notification letters sent to affected individuals, Christie’s stated that they are “not aware of any attempts to misuse your information as a result of this incident.” They also mentioned taking additional steps to secure their systems and continue evaluating technical and organizational measures to avoid a recurrence of a similar incident.

To help impacted people, Christie’s is offering a free twelve-month subscription to the CyEx Identity Defense Total identity theft and fraud monitoring service. This service will alert individuals of changes to their Experian, Equifax, and TransUnion credit files, helping them spot any potentially fraudulent activity on their credit reports.

RansomHub Claims Responsibility

Although Christie’s didn’t name the attackers behind the May breach, the RansomHub gang added the auction house to its dark web leak portal. They claimed to have breached Christie’s systems and stolen sensitive client data, including full names, addresses, ID document details, and other personal information of at least 500,000 clients.

RansomHub has since updated the Christie’s entry, saying that they’ve sold the stolen data on their own auction platform. However, we couldn’t independently verify the threat actors’ claims that they sold the data.

While RansomHub is a relatively new operation, they demand ransom payment from victims in exchange for not leaking files stolen during attacks. If negotiations fail, they often auction the stolen files exclusively to the highest bidder. They’ve recently claimed the breach of leading U.S. telecom provider Frontier Communications, which had to shut down its systems in April to contain a cyberattack. The company warned 750,000 customers this week that their information was exposed in a data breach.

How Can You Protect Yourself?

Unfortunately, data breaches are becoming increasingly common, and even high-profile organizations like Christie’s aren’t immune. It’s more important than ever to stay informed and take steps to protect your personal information. Regularly monitoring your credit reports, using strong, unique passwords, and being cautious about the information you share online are all essential.

Don’t wait until it’s too late. Reach out to IT Services to learn more about how you can protect yourself in this ever-evolving digital landscape. Stay informed, stay protected, and keep coming back for the latest cybersecurity insights.

Continue Reading

Malware

Frontier Alerts 750,000 Customers of Data Breach Following Intense Extortion Threats

US internet service provider Frontier Communications has warned 750,000 customers of a potential data breach after extortion threats were received. The company is investigating the breach and has alerted the FBI, while customers are being offered free identity protection services.

Published

on

Imagine you’re a Frontier Communications customer, and you just found out that your personal information was exposed in a data breach. You’re one of 750,000 customers affected by an April cyberattack carried out by the RansomHub ransomware operation. How would you feel? Your privacy has been invaded, and you’re now at risk for identity theft and other potential harm.

For those of you who may not know, Frontier is a major U.S. communications provider that delivers gigabit Internet speeds over a fiber-optic network to millions of consumers and businesses across 25 states. In mid-April 2024, the company fell victim to a cyberattack, which allowed hackers to access customers’ personal information stored on its systems.

According to the data breach notification sent to impacted customers, the breach exposed the full names and Social Security Numbers (SSNs) of 751,895 customers. Fortunately, no customer financial information was compromised in this incident.

Since discovering the breach, Frontier has informed regulatory authorities and implemented additional measures to strengthen its network security. Investigations on the incident’s impact are currently underway. Impacted clients are also being offered one year of free credit monitoring and identity theft services through Kroll.

Many Frontier customers reported that their Internet connection went down during the attack, and support phone numbers played prerecorded messages instead of connecting to a human operator. This shows the far-reaching effects of a cyberattack on both individuals and businesses.

Who’s Behind the Attack?

RansomHub, an extortion group, claimed responsibility for the attack on Frontier earlier this week. They added Frontier Communications to their extortion portal on the dark web, threatening to leak 5GB of data allegedly stolen during the attack, containing the information of 2 million customers.

The group has given Frontier until June 14 to respond to their demands, or they will sell the data to the highest bidder. This leaves Frontier customers vulnerable to potential scams and identity theft.

RansomHub was recently exposed as a likely buyer of the Knight ransomware source code, but they rarely use encryption in their attacks, typically limiting the scope to data-theft-based extortion. In the case of Frontier Communications, there’s no mention of encryption or reports about service outages apart from those linked to the containment measures in mid-April.

What Can You Do to Protect Yourself?

If you are a Frontier customer, it is essential to take precautions to protect your personal information. Here are some steps you can take:

  • Treat unsolicited communications with caution and avoid sharing information with people you don’t know.
  • Reset your account passwords to prevent unauthorized access.
  • Monitor your bank statements for suspicious activity.

It’s crucial to stay vigilant and proactive in protecting your personal information from cyber criminals. While companies like Frontier are continually working to improve their cybersecurity measures, it’s ultimately up to each of us to take responsibility for our own safety in the digital world.

If you want to learn more about protecting yourself from cyberattacks and staying informed about the latest cybersecurity news, we encourage you to keep coming back to IT Services. We’re here to help you navigate the ever-changing landscape of cybersecurity and provide you with the tools and knowledge you need to stay safe online.

Continue Reading
Advertisement
Malware11 hours ago

Exclusive: New York Times Source Code Hacked – Cybercriminals Exploit Vulnerable GitHub Token

Malware1 day ago

Wake-Up Call: The RansomHub Data Breach Impacting Christie’s Clients

Why You Should Be Concerned About the RansomHub Data Breach



It’s a brisk morning, and just like that, you receive a notification email from a prestigious auction house, Christie’s. You’re a valued client, and they’re letting you know that your sensitive personal information has been compromised in a recent data breach. You’re not alone – countless other clients have received similar notifications. The culprit? A cybercriminal group called RansomHub. This is a wake-up call, my friend, and it’s time to talk about cybersecurity.



Inside the RansomHub Data Breach



Imagine a thief breaking into your home and holding your valuable possessions ransom. RansomHub operates similarly, but in the digital world. They infiltrate a company’s network, steal sensitive data, and demand a hefty ransom in exchange for not leaking the information. In Christie’s case, they couldn’t prevent the breach. Their clients’ data, including names, addresses, and financial information, is now at risk. The question isn’t whether or not you should be worried—it’s how worried you should be.



Why This Matters to You



It’s not just about Christie’s clients. The fact is, data breaches are becoming more and more common. In 2021 alone, there were over 1,200 reported data breaches, impacting over 300 million individuals in the U.S. It’s clear that no one is immune, and everyone needs to take cybersecurity more seriously. Even if you haven’t been directly affected by the RansomHub breach, it’s a stark reminder that your personal information could be at risk at any moment.



What You Can Do to Protect Yourself



Feel like you’re being followed in a dark alley? It’s time to take action. Here are some simple steps you can take to safeguard your sensitive data:




  1. Regularly update your passwords: Use different, complex passwords for each of your accounts and change them periodically.

  2. Enable multi-factor authentication: Add an extra layer of security by requiring a unique code or fingerprint to access your accounts.

  3. Monitor your accounts closely: Keep an eye out for any suspicious activity or unauthorized access to your accounts.

  4. Stay informed about the latest cybersecurity threats: Knowledge is power, so keep up-to-date with the latest news on data breaches and cybersecurity trends.



Together, We Can Combat Cybersecurity Threats



It’s time to step up and protect ourselves, our businesses, and our personal information from cybercriminals like RansomHub. By staying informed, taking proactive steps to safeguard our data, and encouraging others to do the same, we can make a difference in the fight against cybercrime.



Don’t let this wake-up call go unanswered. Contact us today to learn more about how you can protect yourself from data breaches and keep coming back for the latest cybersecurity updates.

Malware2 days ago

Frontier Alerts 750,000 Customers of Data Breach Following Intense Extortion Threats

Trending

Copyright © 2023 IT Services Network.