malware
The Exploitation of Corporate Credentials

There’s an alarming rise in the theft of corporate credentials, with a recent analysis revealing that over 400,000 such credentials have been stolen by malware that specialize in data theft. The analysis scrutinized close to 20 million malware logs sold on obscure online platforms like the dark web and Telegram channels, confirming significant penetration into business networks.

Understanding Information-Stealing Malware

Information stealers refer to malicious software that siphons off data stored in applications, including web browsers, email and instant messaging clients, cryptocurrency wallets, FTP clients, and gaming services. The compromised information is compiled into data sets termed ‘logs’. These logs are either uploaded back to the cybercriminal for use in future attacks or sold on illicit online marketplaces.

Notable names in the info-stealing malware industry include Redline, Raccoon, Titan, Aurora, and Vidar. Cybercriminals use these malware tools, usually offered via subscription-based models, to launch attacks that compromise data from infected devices.

The Impact on Corporate Environments

While these information stealers mainly target individuals who download software such as cracks, game cheats, and dubious software from untrustworthy sources, they also pose a significant risk to corporate environments. This risk exists primarily because employees frequently use personal devices for work, or access personal accounts from work computers. Consequently, many information stealer infections end up pilfering business credentials and authentication cookies.

A cybersecurity company, Flare, highlighted in a recent report that around 375,000 logs contained access to business applications such as Salesforce, Hubspot, Quickbooks, AWS, GCP, Okta, and DocuSign.

Details from the Flare Report on Corporate Credentials

The Flare report’s examination of stealer logs found:

  • 179,000 AWS Console credentials
  • 2,300 Google Cloud credentials
  • 64,500 DocuSign credentials
  • 15,500 QuickBooks credentials
  • 23,000 Salesforce credentials
  • 66,000 CRM credentials

The report also found approximately 48,000 logs granting access to “okta.com,” a robust identity management service used by organizations for both cloud and on-premise user authentication.

Telegram channels accounted for most of these logs (74%), while 25% were found on Russian-speaking marketplaces, such as the ‘Russian Market.’

According to the Flare report, logs with corporate access were disproportionately found on the Russian Market and VIP Telegram channels. This disparity implies that cybercriminals’ log harvesting methods might be more targeted at businesses. Furthermore, public Telegram channels may intentionally post lower value logs, reserving high-value logs for paying customers.

The High Value of Corporate Credentials

The report also discovered over 200,000 stealer logs containing OpenAI credentials. This number is double the amount reported by Group-IB recently. Such a breach poses the risk of leaking proprietary information, internal business strategies, source codes, and more.

Corporate credentials are considered “tier-1” logs in the cybercrime underworld. Their high value stems from the potential profits cybercriminals can earn by using compromised credentials to access CRMs, RDPs, VPNs, and SaaS applications. They then leverage that access to deploy stealthy backdoors, ransomware, and other harmful payloads.

How to Minimize the Risk of Info-stealer Malware Infections

In light of these threats, it’s crucial that businesses take preventive measures. These measures could include using password managers, enforcing multi-factor authentication, and establishing stringent controls on personal device usage. Employees also need to be educated about recognizing and avoiding common infection channels, such as malicious Google Ads, YouTube videos, and Facebook posts.