Connect with us

Malware

Exposed Secrets: Unmasking Data Breaches, Stolen Credentials & Illicit Dark Web Bazaars

Published

on

Person typing on a keyboard

Infostealer malware is a significant and often underestimated threat to corporate information security teams. These malicious programs infect computers, steal credentials saved in browsers, along with active session cookies and other data, and send it back to the attacker’s command and control infrastructure. In some cases, the malware even self-terminates after completing its mission.

In this article, we’ll discuss how cybercriminals use stolen credentials to gain unauthorized access to privileged IT infrastructure, leading to data breaches and ransomware attacks. But infostealers aren’t the only threat; leaked credentials from more traditional sources continue to pose substantial risks to organizations.

It’s no secret that people often reuse the same password across multiple applications, creating a perfect opportunity for hackers to brute force their way into software-as-a-service (SaaS) and on-premises applications.

At IT Services, we currently monitor over forty million stealer logs. This number is growing by millions every month, with an expected increase in 2024. Additionally, we monitor over 14 billion leaked credentials found in data dumps across the dark web.

This unique perspective allows us to see firsthand how threat actors acquire, distribute, and use leaked credentials.

Understanding Leaked Credentials

To better comprehend leaked credentials, we can categorize them into tiers based on the method of leakage and the risk they pose to organizations. This approach, pioneered by Jason Haddix, helps security professionals clearly communicate credential leak risks to managers and corporate executives.

Tier 1 Leaked Credentials

Tier 1 leaked credentials result from third-party application or service breaches. When these breaches occur, all users of the affected service have their passwords compromised and distributed in a data dump on the dark web. This is the most common type of leaked credential.

For example, imagine a fictional corporation called Scatterholt with user logins for hundreds of thousands of consumers. If attackers breach Scatterholt and access the identity and access management system, they could steal these credentials and leak them onto the dark web.

Scatterholt could force a password reset for all users, but it’s likely that many users have reused the same password across other services. This leak gives threat actors the opportunity to use brute force techniques to gain access to other applications that share the same password.

Defending Against Tier 1 Leaked Credentials

Organizations can employ several well-researched defenses to reduce risk. First and foremost: monitor a leaked credentials database for corporate employee emails. This single action can make a massive difference as threat actors deliberately target passwords associated with corporate email addresses to facilitate data breaches.

Secondly, require users to routinely reset passwords on a schedule, ensuring that if a specific password is breached, they will have already rotated other corporate credentials.

Finally, we recommend using a password manager with a policy requiring employees to randomize passwords for various applications and store them securely, reducing the risk of employees making only minor changes to passwords.

The Special Case of Combolists

Combolists are collections of credential pairs, organized by service or geographically, used by cybercriminals in combination with brute force tools to attempt to gain access to various services.

Screenshot of combolist
Screenshot of combolist
Source: IT Services

These credentials often come from previous known breaches, stealer logs, or are entirely fabricated. The exact source is never entirely clear, but the sheer volume of credentials available through combolists, combined with frequent password reuse, makes them a significant attack vector.

Tier 2 Leaked Credentials

Tier 2 leaked credentials pose a unique risk to companies. These credentials are harvested directly from users through infostealer malware that steals all passwords saved in the browser.

We consider tier 2 leaked credentials to be of significantly increased risk to both the company and the user for the following reasons:

  • A single stealer log will contain all of the credentials the user saved in their browser. This creates a perfect opportunity for threat actors to socially engineer the victim, the IT help desk, or even the company using the victim’s information.
  • These logs contain the plain text username, password, and host for the credentials, often for hundreds of different logins. Threat actors have an enormous advantage when they can see dozens of password variations that the user uses.
  • These logs often contain form-fill data with answers to secret questions, which can be effectively used to bypass websites with secret questions.

Screenshot of the information stealer logs can contain, including cookies, passwords, and other sensitive information
Screenshot of the information stealer logs can contain, including cookies, passwords, and other sensitive information
Source: IT Services

Tier 3 Leaked Credentials

This tier of leaks, also from stealer logs, poses an extreme risk to organizations. Fresh stealer logs often contain active session cookies, which threat actors can easily use for session hijacking attacks. In these attacks, they impersonate the victim and potentially bypass two-factor authentication (2FA) and multi-factor authentication (MFA) controls.

Discovering a fresh stealer log with corporate credentials should immediately prompt an incident investigation, as it’s highly likely that the passwords are working and that threat actors could directly access corporate resources.

Screenshot from Telegram of a malware store
Screenshot from Telegram of a malware store
Source: IT Services

Defending Against Tier 3 Leaked Credentials

Limit the time-to-live (TTL) for corporate applications to reduce the risk of session cookies remaining valid if distributed as a result of an infostealer infection.

Multi-Factor Authentication Isn’t a Silver Bullet

Not monitoring leaked credentials likely means that many of your employees use single-factor authentication, as their passwords may have been exposed. Many people believe that enabling 2FA is sufficient protection against stolen credentials, but the reality is that threat actors are aware of the obstacle 2FA presents and have developed techniques to overcome it.

Whether through social engineering of employees, using 2FA bots to capture one-time codes/passwords from victims, or even SIM-swapping, there are many ways to bypass MFA controls that are actively used in the wild.

The best defense against these types of attacks involves using authenticator apps, which feature temporary rotating codes instead of one-time passwords received via email or SMS. These applications are usually more secure and ensure that the user controls a second device to some extent.

Concerned about Credentials? We Can Help

IT Services monitors more than 14 billion leaked credentials distributed on the dark web and hundreds of millions leaked through infostealer malware.

Our platform sets up in 30 minutes and provides robust detection for leaked employee credentials across hundreds of forums, channels, and marketplaces.

Check out our free trial.

Sponsored and written by IT Services.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Malware

Wake-Up Call: The RansomHub Data Breach Impacting Christie’s Clients

Why You Should Be Concerned About the RansomHub Data Breach



It’s a brisk morning, and just like that, you receive a notification email from a prestigious auction house, Christie’s. You’re a valued client, and they’re letting you know that your sensitive personal information has been compromised in a recent data breach. You’re not alone – countless other clients have received similar notifications. The culprit? A cybercriminal group called RansomHub. This is a wake-up call, my friend, and it’s time to talk about cybersecurity.



Inside the RansomHub Data Breach



Imagine a thief breaking into your home and holding your valuable possessions ransom. RansomHub operates similarly, but in the digital world. They infiltrate a company’s network, steal sensitive data, and demand a hefty ransom in exchange for not leaking the information. In Christie’s case, they couldn’t prevent the breach. Their clients’ data, including names, addresses, and financial information, is now at risk. The question isn’t whether or not you should be worried—it’s how worried you should be.



Why This Matters to You



It’s not just about Christie’s clients. The fact is, data breaches are becoming more and more common. In 2021 alone, there were over 1,200 reported data breaches, impacting over 300 million individuals in the U.S. It’s clear that no one is immune, and everyone needs to take cybersecurity more seriously. Even if you haven’t been directly affected by the RansomHub breach, it’s a stark reminder that your personal information could be at risk at any moment.



What You Can Do to Protect Yourself



Feel like you’re being followed in a dark alley? It’s time to take action. Here are some simple steps you can take to safeguard your sensitive data:




  1. Regularly update your passwords: Use different, complex passwords for each of your accounts and change them periodically.

  2. Enable multi-factor authentication: Add an extra layer of security by requiring a unique code or fingerprint to access your accounts.

  3. Monitor your accounts closely: Keep an eye out for any suspicious activity or unauthorized access to your accounts.

  4. Stay informed about the latest cybersecurity threats: Knowledge is power, so keep up-to-date with the latest news on data breaches and cybersecurity trends.



Together, We Can Combat Cybersecurity Threats



It’s time to step up and protect ourselves, our businesses, and our personal information from cybercriminals like RansomHub. By staying informed, taking proactive steps to safeguard our data, and encouraging others to do the same, we can make a difference in the fight against cybercrime.



Don’t let this wake-up call go unanswered. Contact us today to learn more about how you can protect yourself from data breaches and keep coming back for the latest cybersecurity updates.

Why Cybersecurity Matters: A Personal Insight

Picture this: You’re sitting in your favorite coffee shop, sipping on a latte, and catching up on your emails. You click on a seemingly harmless message, and suddenly, you’re locked out of your account. Your passwords have been compromised, and your personal information is at risk. Sounds terrifying, right? Well, it’s time we talk about cybersecurity and why it’s essential in today’s digital world.

Understanding the Threat Landscape

Think of cybersecurity like a game of chess. To win, you need to understand the board and anticipate your opponent’s moves. In the digital realm, your opponents are cybercriminals, and their moves are constantly changing. According to Cybersecurity Ventures, cybercrime is predicted to cost the world $10.5 trillion annually by 2025, a staggering figure that highlights the importance of staying ahead of these threats.

So, Who’s At Risk?

The short answer? Everyone. From individuals to large corporations, no one is immune to cyberattacks. A recent high-profile example is the Christie’s Ransomhub data breach, where the esteemed auction house’s clients had their personal information exposed. It just goes to show that even well-established organizations can fall victim to cybercrime.

Protecting Your Digital Kingdom

Imagine your digital life as a castle. You need to fortify it with strong walls, a moat, and guards to keep intruders at bay. Here are some simple steps to help protect your online identity:

  1. Use strong, unique passwords for all your accounts, and consider using a password manager to keep track of them.
  2. Enable two-factor authentication wherever possible, adding an extra layer of security.
  3. Keep your software up to date, as outdated software can be vulnerable to attacks.
  4. Be cautious with public Wi-Fi, and consider using a VPN to encrypt your data while connected to unsecured networks.
  5. Stay informed about the latest threats and how to protect yourself from them.

A Call to Action

Now that you know the importance of cybersecurity and how to defend your digital castle, it’s time for action. Stay vigilant, and don’t let your guard down. And remember, we’re here to help you navigate the ever-evolving world of cybersecurity. So reach out to us with any questions, concerns, or if you just want to learn more. Let’s work together to protect your digital kingdom!

Published

on

Imagine having your sensitive personal information exposed to the world. That’s the reality for many individuals who’ve fallen victim to the RansomHub ransomware gang, and one of their recent targets was the British auction house Christie’s.

Christie’s Suffers Security Breach

On May 9, 2024, Christie’s discovered a security breach that affected some of its systems. They immediately took measures to secure their network and called in external cybersecurity experts to help investigate the incident’s impact. The auction house also notified law enforcement and is now working to support their investigation.

During the analysis of the breach, Christie’s found that a threat actor accessed and extracted customer files between May 8 and May 9. Following the investigation, Christie’s reviewed the accessed files to identify individuals whose information may have been affected, obtain their contact information, and alert them of the incident after completing the review on May 30.

In the data breach notification letters sent to affected individuals, Christie’s stated that they are “not aware of any attempts to misuse your information as a result of this incident.” They also mentioned taking additional steps to secure their systems and continue evaluating technical and organizational measures to avoid a recurrence of a similar incident.

To help impacted people, Christie’s is offering a free twelve-month subscription to the CyEx Identity Defense Total identity theft and fraud monitoring service. This service will alert individuals of changes to their Experian, Equifax, and TransUnion credit files, helping them spot any potentially fraudulent activity on their credit reports.

RansomHub Claims Responsibility

Although Christie’s didn’t name the attackers behind the May breach, the RansomHub gang added the auction house to its dark web leak portal. They claimed to have breached Christie’s systems and stolen sensitive client data, including full names, addresses, ID document details, and other personal information of at least 500,000 clients.

RansomHub has since updated the Christie’s entry, saying that they’ve sold the stolen data on their own auction platform. However, we couldn’t independently verify the threat actors’ claims that they sold the data.

While RansomHub is a relatively new operation, they demand ransom payment from victims in exchange for not leaking files stolen during attacks. If negotiations fail, they often auction the stolen files exclusively to the highest bidder. They’ve recently claimed the breach of leading U.S. telecom provider Frontier Communications, which had to shut down its systems in April to contain a cyberattack. The company warned 750,000 customers this week that their information was exposed in a data breach.

How Can You Protect Yourself?

Unfortunately, data breaches are becoming increasingly common, and even high-profile organizations like Christie’s aren’t immune. It’s more important than ever to stay informed and take steps to protect your personal information. Regularly monitoring your credit reports, using strong, unique passwords, and being cautious about the information you share online are all essential.

Don’t wait until it’s too late. Reach out to IT Services to learn more about how you can protect yourself in this ever-evolving digital landscape. Stay informed, stay protected, and keep coming back for the latest cybersecurity insights.

Continue Reading

Malware

Frontier Alerts 750,000 Customers of Data Breach Following Intense Extortion Threats

US internet service provider Frontier Communications has warned 750,000 customers of a potential data breach after extortion threats were received. The company is investigating the breach and has alerted the FBI, while customers are being offered free identity protection services.

Published

on

Imagine you’re a Frontier Communications customer, and you just found out that your personal information was exposed in a data breach. You’re one of 750,000 customers affected by an April cyberattack carried out by the RansomHub ransomware operation. How would you feel? Your privacy has been invaded, and you’re now at risk for identity theft and other potential harm.

For those of you who may not know, Frontier is a major U.S. communications provider that delivers gigabit Internet speeds over a fiber-optic network to millions of consumers and businesses across 25 states. In mid-April 2024, the company fell victim to a cyberattack, which allowed hackers to access customers’ personal information stored on its systems.

According to the data breach notification sent to impacted customers, the breach exposed the full names and Social Security Numbers (SSNs) of 751,895 customers. Fortunately, no customer financial information was compromised in this incident.

Since discovering the breach, Frontier has informed regulatory authorities and implemented additional measures to strengthen its network security. Investigations on the incident’s impact are currently underway. Impacted clients are also being offered one year of free credit monitoring and identity theft services through Kroll.

Many Frontier customers reported that their Internet connection went down during the attack, and support phone numbers played prerecorded messages instead of connecting to a human operator. This shows the far-reaching effects of a cyberattack on both individuals and businesses.

Who’s Behind the Attack?

RansomHub, an extortion group, claimed responsibility for the attack on Frontier earlier this week. They added Frontier Communications to their extortion portal on the dark web, threatening to leak 5GB of data allegedly stolen during the attack, containing the information of 2 million customers.

The group has given Frontier until June 14 to respond to their demands, or they will sell the data to the highest bidder. This leaves Frontier customers vulnerable to potential scams and identity theft.

RansomHub was recently exposed as a likely buyer of the Knight ransomware source code, but they rarely use encryption in their attacks, typically limiting the scope to data-theft-based extortion. In the case of Frontier Communications, there’s no mention of encryption or reports about service outages apart from those linked to the containment measures in mid-April.

What Can You Do to Protect Yourself?

If you are a Frontier customer, it is essential to take precautions to protect your personal information. Here are some steps you can take:

  • Treat unsolicited communications with caution and avoid sharing information with people you don’t know.
  • Reset your account passwords to prevent unauthorized access.
  • Monitor your bank statements for suspicious activity.

It’s crucial to stay vigilant and proactive in protecting your personal information from cyber criminals. While companies like Frontier are continually working to improve their cybersecurity measures, it’s ultimately up to each of us to take responsibility for our own safety in the digital world.

If you want to learn more about protecting yourself from cyberattacks and staying informed about the latest cybersecurity news, we encourage you to keep coming back to IT Services. We’re here to help you navigate the ever-changing landscape of cybersecurity and provide you with the tools and knowledge you need to stay safe online.

Continue Reading

Malware

Los Angeles Unified School District Probes Alleged Data Theft: Unraveling the Shocking Truth

The Los Angeles Unified School District is investigating a data breach that may have compromised the personal information of over 100,000 students. The incident allegedly occurred due to an employee’s inappropriate access to the system. The district is working to restore security and protect the affected individuals from potential identity theft.

Published

on

Imagine this: you’re a parent of a student in the Los Angeles Unified School District (LAUSD), the second-largest public school district in the United States. You hear that a threat actor is claiming to be selling stolen databases containing records of millions of students and thousands of teachers. What would you do? How would you feel?

Well, that’s exactly what’s happening right now. LAUSD, which had over 25,900 teachers, around 48,700 other employees, and more than 563,000 students enrolled during the 2023-2024 school year, is currently investigating these claims.

A whopping 11GB of data for sale

The threat actor is offering the allegedly stolen data for $1,000 on a hacking forum. The CSV files up for grabs contain over 11GB of data, including more than 26 million student records, over 24,000 teacher records, and around 500 staff records, as first spotted by Dark Web Informer.

As proof of the data’s legitimacy, the threat actor shared two samples containing roughly 1,000 student records with Social Security Numbers (SSNs), addresses, parent addresses, email addresses, contact information, and dates of birth.

Now, as an IT Services provider, we’ve seen our fair share of cybersecurity incidents. But this one is alarming. While the data sample may be old, it still contains sensitive information that could be used for identity theft or other malicious purposes. And the worst part? There could be more recent data that hasn’t even been shared yet.

LAUSD and law enforcement on the case

When we contacted LAUSD about the threat actor’s claims, they said they were investigating and had informed law enforcement, who are now assisting in the investigation. The school district is clearly taking this situation seriously, as they should, given the potential impact on their students, families, and employees.

Alleged LAUSD stolen data for sale online
Alleged LAUSD stolen data for sale online

Not the first time: Vice Society ransomware attack

Unfortunately, this isn’t the first cybersecurity incident for LAUSD. In September 2022, the school district was hit by a ransomware attack over Labor Day weekend. The Vice Society gang claimed responsibility, stating that they had stolen 500GB of files before encrypting the district’s systems.

Following the attack, LAUSD implemented new security measures, such as requiring all employees and students to reset their @LAUSD.net account credentials in person at a district site and speeding up the rollout of multi-factor authentication.

But despite these efforts, almost a month later, Vice Society published the stolen LAUSD data on their dark web leak site, which included sensitive information such as confidential psychological assessments of students and legal documents.

At this time, it’s unclear whether the data currently being sold on the hacking forum is linked to the data stolen by Vice Society.

What can you do to protect yourself and your organization?

Whether you’re a parent, student, or employee of a school district, or even if you’re just concerned about your own cybersecurity, there are steps you can take to protect yourself and your organization. Stay informed about the latest threats, implement strong security measures, and don’t hesitate to reach out to IT Services providers like us for help.

We’re here to support you, educate you, and help you stay one step ahead of cybercriminals. Contact us today and let’s work together to keep your information safe and secure.

Continue Reading
Advertisement
Malware19 hours ago

Wake-Up Call: The RansomHub Data Breach Impacting Christie’s Clients

Why You Should Be Concerned About the RansomHub Data Breach



It’s a brisk morning, and just like that, you receive a notification email from a prestigious auction house, Christie’s. You’re a valued client, and they’re letting you know that your sensitive personal information has been compromised in a recent data breach. You’re not alone – countless other clients have received similar notifications. The culprit? A cybercriminal group called RansomHub. This is a wake-up call, my friend, and it’s time to talk about cybersecurity.



Inside the RansomHub Data Breach



Imagine a thief breaking into your home and holding your valuable possessions ransom. RansomHub operates similarly, but in the digital world. They infiltrate a company’s network, steal sensitive data, and demand a hefty ransom in exchange for not leaking the information. In Christie’s case, they couldn’t prevent the breach. Their clients’ data, including names, addresses, and financial information, is now at risk. The question isn’t whether or not you should be worried—it’s how worried you should be.



Why This Matters to You



It’s not just about Christie’s clients. The fact is, data breaches are becoming more and more common. In 2021 alone, there were over 1,200 reported data breaches, impacting over 300 million individuals in the U.S. It’s clear that no one is immune, and everyone needs to take cybersecurity more seriously. Even if you haven’t been directly affected by the RansomHub breach, it’s a stark reminder that your personal information could be at risk at any moment.



What You Can Do to Protect Yourself



Feel like you’re being followed in a dark alley? It’s time to take action. Here are some simple steps you can take to safeguard your sensitive data:




  1. Regularly update your passwords: Use different, complex passwords for each of your accounts and change them periodically.

  2. Enable multi-factor authentication: Add an extra layer of security by requiring a unique code or fingerprint to access your accounts.

  3. Monitor your accounts closely: Keep an eye out for any suspicious activity or unauthorized access to your accounts.

  4. Stay informed about the latest cybersecurity threats: Knowledge is power, so keep up-to-date with the latest news on data breaches and cybersecurity trends.



Together, We Can Combat Cybersecurity Threats



It’s time to step up and protect ourselves, our businesses, and our personal information from cybercriminals like RansomHub. By staying informed, taking proactive steps to safeguard our data, and encouraging others to do the same, we can make a difference in the fight against cybercrime.



Don’t let this wake-up call go unanswered. Contact us today to learn more about how you can protect yourself from data breaches and keep coming back for the latest cybersecurity updates.

Malware2 days ago

Frontier Alerts 750,000 Customers of Data Breach Following Intense Extortion Threats

Malware3 days ago

Los Angeles Unified School District Probes Alleged Data Theft: Unraveling the Shocking Truth

Trending

Copyright © 2023 IT Services Network.