Malware
Exposed Secrets: Unmasking Data Breaches, Stolen Credentials & Illicit Dark Web Bazaars
Infostealer malware is a significant and often underestimated threat to corporate information security teams. These malicious programs infect computers, steal credentials saved in browsers, along with active session cookies and other data, and send it back to the attacker’s command and control infrastructure. In some cases, the malware even self-terminates after completing its mission.
In this article, we’ll discuss how cybercriminals use stolen credentials to gain unauthorized access to privileged IT infrastructure, leading to data breaches and ransomware attacks. But infostealers aren’t the only threat; leaked credentials from more traditional sources continue to pose substantial risks to organizations.
It’s no secret that people often reuse the same password across multiple applications, creating a perfect opportunity for hackers to brute force their way into software-as-a-service (SaaS) and on-premises applications.
At IT Services, we currently monitor over forty million stealer logs. This number is growing by millions every month, with an expected increase in 2024. Additionally, we monitor over 14 billion leaked credentials found in data dumps across the dark web.
This unique perspective allows us to see firsthand how threat actors acquire, distribute, and use leaked credentials.
Understanding Leaked Credentials
To better comprehend leaked credentials, we can categorize them into tiers based on the method of leakage and the risk they pose to organizations. This approach, pioneered by Jason Haddix, helps security professionals clearly communicate credential leak risks to managers and corporate executives.
Tier 1 Leaked Credentials
Tier 1 leaked credentials result from third-party application or service breaches. When these breaches occur, all users of the affected service have their passwords compromised and distributed in a data dump on the dark web. This is the most common type of leaked credential.
For example, imagine a fictional corporation called Scatterholt with user logins for hundreds of thousands of consumers. If attackers breach Scatterholt and access the identity and access management system, they could steal these credentials and leak them onto the dark web.
Scatterholt could force a password reset for all users, but it’s likely that many users have reused the same password across other services. This leak gives threat actors the opportunity to use brute force techniques to gain access to other applications that share the same password.
Defending Against Tier 1 Leaked Credentials
Organizations can employ several well-researched defenses to reduce risk. First and foremost: monitor a leaked credentials database for corporate employee emails. This single action can make a massive difference as threat actors deliberately target passwords associated with corporate email addresses to facilitate data breaches.
Secondly, require users to routinely reset passwords on a schedule, ensuring that if a specific password is breached, they will have already rotated other corporate credentials.
Finally, we recommend using a password manager with a policy requiring employees to randomize passwords for various applications and store them securely, reducing the risk of employees making only minor changes to passwords.
The Special Case of Combolists
Combolists are collections of credential pairs, organized by service or geographically, used by cybercriminals in combination with brute force tools to attempt to gain access to various services.
These credentials often come from previous known breaches, stealer logs, or are entirely fabricated. The exact source is never entirely clear, but the sheer volume of credentials available through combolists, combined with frequent password reuse, makes them a significant attack vector.
Tier 2 Leaked Credentials
Tier 2 leaked credentials pose a unique risk to companies. These credentials are harvested directly from users through infostealer malware that steals all passwords saved in the browser.
We consider tier 2 leaked credentials to be of significantly increased risk to both the company and the user for the following reasons:
- A single stealer log will contain all of the credentials the user saved in their browser. This creates a perfect opportunity for threat actors to socially engineer the victim, the IT help desk, or even the company using the victim’s information.
- These logs contain the plain text username, password, and host for the credentials, often for hundreds of different logins. Threat actors have an enormous advantage when they can see dozens of password variations that the user uses.
- These logs often contain form-fill data with answers to secret questions, which can be effectively used to bypass websites with secret questions.
Tier 3 Leaked Credentials
This tier of leaks, also from stealer logs, poses an extreme risk to organizations. Fresh stealer logs often contain active session cookies, which threat actors can easily use for session hijacking attacks. In these attacks, they impersonate the victim and potentially bypass two-factor authentication (2FA) and multi-factor authentication (MFA) controls.
Discovering a fresh stealer log with corporate credentials should immediately prompt an incident investigation, as it’s highly likely that the passwords are working and that threat actors could directly access corporate resources.
Defending Against Tier 3 Leaked Credentials
Limit the time-to-live (TTL) for corporate applications to reduce the risk of session cookies remaining valid if distributed as a result of an infostealer infection.
Multi-Factor Authentication Isn’t a Silver Bullet
Not monitoring leaked credentials likely means that many of your employees use single-factor authentication, as their passwords may have been exposed. Many people believe that enabling 2FA is sufficient protection against stolen credentials, but the reality is that threat actors are aware of the obstacle 2FA presents and have developed techniques to overcome it.
Whether through social engineering of employees, using 2FA bots to capture one-time codes/passwords from victims, or even SIM-swapping, there are many ways to bypass MFA controls that are actively used in the wild.
The best defense against these types of attacks involves using authenticator apps, which feature temporary rotating codes instead of one-time passwords received via email or SMS. These applications are usually more secure and ensure that the user controls a second device to some extent.
Concerned about Credentials? We Can Help
IT Services monitors more than 14 billion leaked credentials distributed on the dark web and hundreds of millions leaked through infostealer malware.
Our platform sets up in 30 minutes and provides robust detection for leaked employee credentials across hundreds of forums, channels, and marketplaces.
Sponsored and written by IT Services.
Malware
Interbank Admits to Data Breach After Unsuccessful Extortion Attempt and Massive Information Leak
Peruvian Interbank confirms a data breach after refusing to pay extortion demands. The hackers leaked customer information, but the bank assures no financial data was compromised. Interbank warns clients of potential phishing attacks and urges them to be cautious when providing personal information.
Imagine waking up one day to find your personal and financial information plastered all over the internet. It’s a nightmare scenario, isn’t it? Well, that’s precisely what happened to a group of customers at Interbank, one of Peru’s leading financial institutions, which serves over 2 million people.
Interbank confirms data breach
Interbank recently confirmed that a data breach occurred, with a hacker gaining unauthorized access to its systems and leaking stolen data online. The bank immediately deployed additional security measures to protect its clients’ operations and information. While their online platforms and mobile app experienced temporary outages, Interbank has assured customers that their deposits are safe and that most of their operations are back online.
Stolen data for sale on hacking forums
As if the breach wasn’t bad enough, a threat actor with the handle “kzoldyck” has been spotted by Dark Web Informer selling the stolen data on several hacking forums. The data in question includes customers’ full names, account IDs, birth dates, addresses, phone numbers, email addresses, IP addresses, and sensitive financial information like credit card numbers, CVV codes, and even plaintext credentials.
The hacker claims to have information on more than 3 million customers, with a total data cache of over 3.7 terabytes. They also mention possessing internal API credentials, LDAP, and Azure credentials. It’s worth noting that the hacker reportedly attempted to extort Interbank’s management two weeks prior, but the bank refused to pay.
So, what can you learn from this?
As a U.S. reader, you might be thinking, “That’s terrible, but it’s in Peru, so it doesn’t affect me.” Unfortunately, that’s not the case. Cybersecurity threats know no borders, and hackers are constantly seeking out new targets. In fact, data breaches have become increasingly common in recent years, with a 2021 report from the Identity Theft Resource Center showing a 17% increase in publicly reported data breaches in the U.S. compared to 2020.
This case serves as a stark reminder that no one is immune to the dangers of cyber threats. It’s essential to stay vigilant and educate yourself on how to protect your personal and financial information. Consider working with IT Services who can provide you with guidance and resources to stay one step ahead of the hackers.
Don’t let this happen to you
Be proactive in safeguarding your data and take the necessary steps now to protect your information. Reach out to us at IT Services to learn more about how we can help you and your business stay safe in this digital age. Remember, the best defense is a good offense, so don’t wait for a data breach to happen before taking action.
Malware
Free, France’s No. 2 ISP, Admits to Data Breach Following Shocking Leak
Free, France’s second-largest ISP, has confirmed a data breach impacting 700,000 customers. The exposed data includes names, addresses, emails, and phone numbers. The company has implemented additional security measures and is urging users to change their account passwords.
Imagine waking up one day to find out your personal information has been stolen by hackers. That’s precisely what happened to millions of customers of Free, a major internet service provider (ISP) in France. Over the weekend, the company confirmed that its systems were breached, and customer data was stolen.
Free is no small player in the telecommunications industry. With over 22.9 million mobile and fixed subscribers at the end of June, it’s the second-largest telecommunications company in France and a subsidiary of the Iliad Group, Europe’s sixth-largest mobile operator by the number of subscribers. That’s a lot of people potentially affected by this breach!
The company has taken action by filing a criminal complaint with the public prosecutor and notifying the French National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI) of the incident.
What happened and who is affected?
According to a Free spokesperson, the hack targeted a management tool that exposed subscribers’ data. Thankfully, the attackers failed to access customer passwords, bank card information, and communications content (including “emails, SMS, voice messages, etc.”). However, the data that was stolen is now being auctioned on BreachForums to the highest bidder.
The threat actor responsible for the breach, known as “drussellx,” claims that the breach impacts almost a third of France’s population. They say that the data breach affects 19.2 million customers and contains over 5.11 million International Bank Account Numbers (IBANs). It affects all Free Mobile and Freebox customers and includes the IBANs of all 5.11 million Freebox subscribers.
How can you protect yourself?
Free has assured its customers that the stolen IBANs are “not enough to make a direct debit from a bank.” However, it’s essential for subscribers to be vigilant against phishing attempts. Never communicate your access codes or bank card information, whether by email, SMS, or during a call. If you notice an unusual direct debit that doesn’t correspond to any known invoice amount or date, inform your bank, as they’re obliged to reimburse you for fraudulent charges.
So, what can we learn from this incident? Cybersecurity threats are real and can affect anyone, even major telecommunications companies. It’s crucial to stay informed about potential risks and take steps to protect our personal information.
Stay informed and stay protected
As your trusted IT Services provider, we’re here to help you stay informed about cybersecurity threats and keep your information safe. Our team of experts is always on the lookout for the latest cybersecurity news, trends, and best practices. So don’t hesitate to contact us for guidance and advice on how to keep your data secure. And remember, knowledge is power – the more you know about cybersecurity, the better equipped you’ll be to protect yourself and your information.
Malware
UnitedHealth Reveals Massive Data Breach: 100 Million Records Stolen from Change Healthcare
Discover how UnitedHealth Group suffered a data breach at Change Healthcare, impacting over 100 million individuals. Learn about the unauthorized access and possible consequences for those affected in this major healthcare cyberattack.
It’s official: over 100 million people had their personal information and healthcare data stolen in the Change Healthcare ransomware attack, making it the largest healthcare data breach in recent years. UnitedHealth, the parent company of Change Healthcare, has finally confirmed this staggering number.
Just imagine that: “maybe a third” of all Americans’ health data was exposed in this attack, as UnitedHealth CEO Andrew Witty warned during a congressional hearing in May. This is a massive breach that has affected a “substantial proportion of people in America.”
So, what exactly was stolen during this ransomware attack? According to data breach notifications sent by Change Healthcare, the sensitive information includes health insurance details, medical history, billing and payment info, and other personal data like Social Security numbers and driver’s license numbers. Not everyone’s complete medical history was exposed, but still, the sheer scale of this breach is alarming.
How did the Change Healthcare ransomware attack happen?
In February, the UnitedHealth subsidiary Change Healthcare fell victim to a ransomware attack that led to widespread outages in the U.S. healthcare system. The culprits? The BlackCat ransomware gang, aka ALPHV, who used stolen credentials to breach the company’s Citrix remote access service, which did not have multi-factor authentication enabled.
During the attack, the criminals stole a whopping 6 TB of data and encrypted computers on the network. This caused the company to shut down IT systems to prevent further damage. In the aftermath, doctors and pharmacies were unable to file claims, and patients were forced to pay full price for medications because pharmacies couldn’t accept discount prescription cards.
UnitedHealth Group ended up paying a ransom demand of allegedly $22 million to receive a decryptor and ensure the stolen data would be deleted. However, the ransomware gang pulled a fast one: they suddenly shut down and stole the entire payment for themselves, leaving Change Healthcare’s data in the hands of a rogue affiliate.
As if that wasn’t enough, the affiliate partnered with a new ransomware operation named RansomHub and began leaking some of the stolen data, demanding an additional payment for the data not to be released. It’s unclear whether United Health paid a second ransom demand, as the entry for Change Healthcare on RansomHub’s data leak site disappeared a few days later.
The financial toll of this attack has been enormous. UnitedHealth reported in April that the ransomware attack caused $872 million in losses, which increased to an expected $2.45 billion for the nine months to September 30, 2024, as part of their Q3 2024 earnings.
What can we learn from this massive breach?
This incident highlights the importance of strong cybersecurity measures, especially in the healthcare industry. We must prioritize the protection of sensitive data and invest in robust security systems to prevent future attacks. It’s time for all of us to take cybersecurity seriously.
Stay informed and keep coming back to learn more about the latest cybersecurity news, threats, and best practices. Together, we can work towards a safer digital landscape. If you have any questions or concerns about your organization’s security, don’t hesitate to reach out to us. We’re here to help.
-
Malware1 year ago
Flagstar Bank’s Latest Data Breach: 800,000 Customers Impacted, Marking the Third Incident of 2021
-
Malware1 year ago
Blackbaud: Taking Responsibility with a Landmark $49.5 Million Settlement for Devastating Ransomware Data Breach
-
Data Protection Regulations12 months ago
Top Data Protection Officer Certification Courses Reviewed
-
Data Protection Regulations12 months ago
Top 11 Data Protection Training Programs for Compliance
-
Security Audits and Assessments12 months ago
Mastering Healthcare Data Security: 5 Essential Audit Tips
-
Data Protection Regulations12 months ago
Navigating Data Protection Laws for Nonprofits
-
Data Protection Regulations12 months ago
9 Best Insights: CCPA’s Influence on Data Security
-
Security Audits and Assessments12 months ago
HIPAA Security Risk Assessment: Essential Steps Checklist