Over 400,000 Corporate Credentials Stolen by Info-stealing Malware

Cyber Security Threat Summary:
“The analysis of nearly 20 million information-stealing malware logs sold on the dark web and Telegram channels revealed that they had achieved significant infiltration into business environments. Information stealers are malware that steals data stored in applications such as web browsers, email clients, instant messengers, cryptocurrency wallets, FTP clients, and gaming services. The stolen information is packaged into archives called 'logs,' which are then uploaded back to the threat actor for use in attacks or sold on cybercrime marketplaces” (Bleeping Computer, 2023).

Many information stealers are sold under a subscription model, prominent examples include Redline, Racoon, Titan, Aurora, and Vidar. Threat actors can purchase access to the malware to conduct campaigns and steal data from infected devices. Information stealers are typically installed on accident by users trying to download software. Sometimes they are looking for cracked software, or are tricked into downloading from a malicious page under the attackers control.

According to the researchers, information stealers are having a massive impact on corporate environments. Employees using personal devices for work may be allowing information stealer infections to steal business credentials and authentication cookies.

Security Officer Comments:
More specifically, as cybersecurity firm Flare explains in a new report shared with BleepingComputer, there are approximately 375,000 logs containing access to business applications such as Salesforce, Hubspot, Quickbooks, AWS, GCP, Okta, and DocuSign. More specifically, Flare found the following in the examined stealer logs:

  • 179,000 AWS Console credentials
  • 2,300 Google Cloud credentials
  • 64,500 DocuSign credentials
  • 15,500 QuickBooks credentials
  • 23,000 Salesforce credentials
  • 66,000 CRM credentials
The researchers also found 48,000 logs that include access to an enterprise-grade identity management service used for cloud and on-premise user authentication. Most of these logs (74%) were posted on Telegram channels, while 25% were seen on Russian-speaking marketplaces, like the 'Russian Market.'

Flare also found more than 200,000 stealer logs containing OpenAI credentials, which is double the amount that Group-IB reported recently and constitutes a risk for leaking proprietary information, internal business strategies, source code, and more.

For cybercriminals, corporate credentials are high-valued and can fetch a high price on private markets. These corporate credentials provide a great initial access points for further malicious activity like ransomware attacks. In many cases these credentials can be used to access CRMs, RDP, VPNs, and SaaS applications which can be used to deploy persistent backdoors, ransomware, and other payloads like cryptocurrency miners.

Suggested Correction(s):
Software should only be downloaded from official sources, never from a third party website, APK, or torrent service. Lately, we have seen an uptick in malicious advertisements pushing spoofed product pages on Google and Bing. Users should be trained on spotting typosquatted domains, and if possible check a legitimate file hash before downloading software.

It is recommended that businesses minimize the risk of info-stealer malware infections by imposing the use of password managers, enforcing multi-factor authentication, and setting strict controls on personal device use.

Link(s):
https://flare.io/learn/resources/stealer-logs-and-corporate-access
https://www.bleepingcomputer.com/