Thousands of corporate logins have been taken by info-stealing malware

Sead Fadilpašić
·4 min read
Phishing
Phishing

Hundreds of thousands of login credentials and other information needed to access business applications used by major corporations around the world have been found circulating on the dark web.

This is according to a new report from cybersecurity researchers Flare, which analyzed roughly 20 million logs generated by infostealers, and being sold on the dark web and in the hackers’ Telegram channels.

Logs are packages of information stolen in malware attacks and contain things like passwords stored in browsers, email data, messages from instant messaging platforms, cryptocurrency wallet information, and more.

In its analysis, Flare discovered some 370,000 logs that offer access to Salesforce, Hubspot, Quickbooks, AWS, DocuSign, and others - all major business applications used by some of the biggest corporations in the world. These apps have hundreds of thousands of users. AWS users were the biggest victims, with almost 200,000 AWS Console credentials being sold on the dark web. There are roughly 65,000 DocuSign and CRM credentials sold, and some 23,000 Salesforce credentials.

The researchers also found more than 200,000 stealer logs with OpenAI credentials, suggesting that these might leak proprietary information, internal business strategies, or source code, BleepingComputer reports.

Roughly three-quarters of these logs (74%) were posted on Telegram channels, with the remaining 25% being sold off on Russian-speaking dark web marketplaces.

"Logs containing corporate access were over-represented on Russian Market and VIP Telegram channels, indicating that the methods attackers use to harvest logs may incidentally or intentionally have more corporate targeting," describes the Flare report.

"Additionally, public Telegram channels may deliberately post lower value logs, saving high-value logs for paying customers."

Analysis: Why does it matter?

There are very few things as valuable in the cybercriminal world as login credentials to business applications used by large corporations. These credentials are extremely highly valued as they grant access to sensitive corporate data, including employee information, customer information, business secrets, future plans, and more. This, in turn, allows the attackers to deploy malware or ransomware, exfiltrate data, or conduct cyber espionage. The data they obtain this way can later be sold off on the black market for significant profits, or it could be leveraged in a ransom demand.

"Based on evidence from the dark web forum Exploit in, we rate it as highly likely that initial access brokers are using stealer logs as a principal source to gain an initial foothold to corporate environments that can then be auctioned off on top-tier dark web forums," Flare researcher Eric Clay said.

Many cybercriminal groups focus solely on breaking into corporate environments and into business endpoints. After that, they sell the access to their peers who use it for stage-two attacks. These groups are called “initial access brokers”, and rarely engage in information stealing. Those that do will try and deploy some of the world’s most popular info-stealing malware, such as RedLine Stealer, Aurora, or Vidar.

These tools can be rented out, significantly lowering the barrier for entry and making life a lot more difficult for IT teams looking to keep their virtual premises safe.

Employees using personal devices to access company files and systems is also a major risk factor. Many of these endpoints are used by other household members who sometimes don’t keep cybersecurity in mind and end up downloading dubious software, cracks, loaders, and torrent files riddled with malware.

To keep their premises safe, businesses should deploy password managers, enforce multi-factor authentication (MFA), run firewalls, and educate their employees on the dangers of using unvetted software and visiting risky websites.

What have others said about credential theft?

Password sharing is another bad practice that put a lot of companies in harm’s way. For example, a 2021 survey in the U.S. found that a third (34%) of adults shared their passwords with coworkers, which translates to some 30 million Americans. Out of 1,500 adults polled for the survey, almost a quarter (22%) admitted reusing the same password on multiple accounts, while just 12% confirmed using a password manager.

Others, like the Head of IT at Confidential, Jay Leaf-Clark, argue that company security isn't just an IT problem - it’s a work culture problem.

“Fostering a strong security culture at work is key, which means empowering employees to do their part in keeping company data secure and making it easy to stay on top of—with the right tools,” he said.

He also argues that people overestimate their security habits. Citing various surveys, he said that 69% of people graded themselves As and Bs for protecting their online accounts, while 65% reused their passwords for multiple accounts. “On average, employees reuse passwords across 16 work accounts,” he added.

Cybersecurity experts have long warned of the dangers of social engineering and phishing. By being reckless and overly trusting, many workers download email attachments and click on links on social media without thinking about the consequences, often ending up causing major damages for their employer.

Go deeper

To learn more about the dangers of credential theft, make sure to read our article on what is phishing, as well as how credential stuffing works. You should also check out our guide for the best password managers, as well as best ID theft protection right now.

Via: BleepingComputer