Recent research has revealed that corporate credentials are being stolen alarmingly. The study revealed that over 400,000 corporate credentials were stolen by malware specialized in data theft. Approximately 20 million malware logs were examined in the study. The study was conducted on obscure platforms such as the dark web and Telegram channels that sell malware logs. Consequently, this indicates that networks are widely embraced within businesses.
There is a simple way to explain how info stealer malware works. It infiltrates your agency's systems, snatches valuable data, and delivers it back to cybercriminals from where it originated. These miscreants can use this data to perform harmful activities or sell it on the underground cybercrime market to make profits. The dark web and Telegram channels are filled with almost 20 million information-stealing virus records. A significant number of these types of viruses are used to access information from companies.
Cybercriminals steal data from a variety of computer platforms, including browsers, email clients, instant messengers, gaming services, cryptocurrency wallets, and FTP clients. This is to profit from their schemes. Hackers archive stolen data into "logs" before selling them on the dark web markets or reusing them for future hacks. In this study, several major families of information-stealing systems were identified including Redline, Raccoon, Titan, Aurora, and Vidar.
With their subscription-based approach, they operate in a similar way to adware, where hackers can launch malware campaigns aiming to steal data from compromised systems through malware. In addition to targeting individuals who purchase pirated software through illegal sources, these information hackers pose a serious threat not only to individuals but also to the businesses in which they operate. It is no secret that the use of personal devices on corporate computers has resulted in countless info-stealer infections, which result in the loss of business passwords and authentication cookies due to these viruses.
As a general rule, information thieves look to take over web browsers, email clients, operating systems, information about Internet service providers, cryptocurrency wallet credentials, and other personal information. In terms of information-stealing families, Redline, Raccoon, Titan, Aurora, and Vidar are probably the most prominent.
To conduct malware campaigns designed to steal data from infected devices, cybercriminals are offered these families on a subscription basis. This makes it possible to run malware campaigns. While it has been found that many information thieves may primarily target careless internet users who download programs that they should not, such as cracks, warez, game cheats, and fake software, all downloaded from dubious sources, there has also been noted evidence that this behavior can negatively affect corporate environments.
The reason for this is that employees are increasingly using personal devices and computers to access work-related stuff, which leads to many info-stealer infections that steal credentials for the business and authenticate users on the network.
In its Stealer Logs and Corporate Access report, Flare provides the following breakdown of credentials based on the insights provided by the company. 179,000 credentials for AWS Console, 42,738 for Hubspot, 2,300 credentials for Google Cloud, 23,000 Salesforce credentials, 66,000 for CRM, 64,500 for DocuSign, and 15,500 QuickBooks credentials. In addition, 48,000 logs contain access to okta.com domains. 205,447 stealer logs can also be found in Flare which contains credentials for OpenAI accounts, in addition to 17,699 stolen logs.
Keeping conversations on ChatGPT is a high risk because by default, conversations are saved on the account, and if the account is compromised, sensitive corporate intellectual property and other data could be exposed, as Flare explains. It is unknown if any of these OpenAI credentials are similar to those that Group-IB identified in June 2023, which contained 101,134 log files that contained 26,802 compromised ChatGPT accounts.
There were huge numbers of credentials exposed for platforms such as AWS Console, DocuSign, Salesforce, Google Cloud, QuickBooks, OpenAI, and CRM systems. These credentials were part of three different databases. There was also evidence that a large number of logs contained references to the identity management service OKTA.com, which is used for enterprise-grade user authentication within an enterprise environment. It is estimated that approximately 25% of these logs have been posted on the Russian Market channel on Telegram, over which the majority have been posted on Telegram.
In addition to finding more than 200,000 stealer logs containing OpenAI credentials, Flame has also found more than double the amount Group-IB reported recently. These logs represent a significant risk of confidential information leakage, internal business strategies, source code, and many other forms of confidential information. It is of particular importance to note that corporate credentials are considered "tier-1" logs, which makes them extremely valuable in the underground cybercrime market, where they can be bought and sold on private Telegram channels or discussion forums such as Exploit and XSS.
A log file is like a packaged archive of stolen information that has been packaged and protected. Data consisting of web browsers, email clients, desktop programs, and other applications used daily within your agency can be stolen from these files.
For cybercriminals to profit from hijacking users' credentials, they must exploit those credentials to gain access to CRMs, RDP, VPNs, and SaaS applications. They must then use those credentials to deploy stealthy backdoors, ransomware, and other payloads to steal their information. As a precautionary measure, businesses should enforce password-manager usage, implement multi-factor authentication and enforce strict controls on personal devices to minimize info-stealer malware infections.
A training program should also be provided to all employees to recognize and avoid common infection channels. These include malicious YouTube videos, Facebook posts, and malicious Google Ads. The credentials stolen by anti-spyware malware are commonly referred to as digital skeleton keys - these are broadly referred to as universal access tokens which can be used to gain unauthorized access to a wide range of sensitive data stored in your organization by cyber criminals.
To gain access to your business, they will have to use a virtual master key. This will hopefully enable them to unlock numerous areas of your business, potentially causing far-reaching and devastating damage. Sadly, cybercrime is no longer a specter looming over the horizon in today's interconnected world - it has already infiltrated systems, stolen valuable data, and left an indelible mark on businesses all across the globe thanks to its infiltration and snatching.
Cybersecurity is both an imprudent and a potentially hazardous luxury for independent insurance agencies whose business model is based on making it as optional as possible. It is crucial to remember that ignoring this crucial aspect of your business operations will cause your agency to fall off its feet. This may even have significant financial repercussions down the road.
Implementing comprehensive cybersecurity measures is not just a suggestion - it is an absolute necessity that must be performed. There is no question that the landscape of security is evolving, and we must evolve as well. A strong digital asset management strategy today enables your agency to remain resilient and successful tomorrow, which is a decisive factor in its success. The value of digital fortification goes beyond merely surviving for your business, but also striving to prosper as your business lives on in an age of digital fortification becoming synonymous with its long-term survival.