Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Stolen Credentials. Show all posts
Zero Trust
Credential Stuffing Cybersecurity Breach Data Leak Digital Risk Malware Logs Password Security Privacy Stolen Credentials Threat Intelligence Zero Trust

Digital Security Threat Escalates with Exposure of 1.3 Billion Passwords


 

One of the starkest reminders of just how easily and widely digital risks can spread is the discovery of an extensive cache of exposed credentials, underscoring the persistent dangers associated with password reuse and the many breaches that go unnoticed by the public. Having recently clarified the false claims of a large-scale Gmail compromise in the wake of Google’s recent clarification, the cybersecurity community is once again faced with vast, attention-grabbing figures which are likely to create another round of confusion. 

Approximately 2 billion emails were included in the newly discovered dataset, along with 1.3 billion unique passwords that were found in the dataset, and 625 million of them were not previously reported to the public breach repository. It has been emphasised that Troy Hunt, the founder of Have I Been Pwned, should not use sensationalism when discussing this discovery, as he stresses the importance of the disclosure. 

It is important to note that Hunt noted that he dislikes hyperbolic news headlines about data breaches, but he stressed that in this case, it does not require exaggeration since the data speaks for itself. Initially, the Synthient dataset was interpreted as a breach of Gmail before it was clarified to reveal that it was actually a comprehensive collection gathered from stealer logs and multiple past breaches spanning over 32 million unique email domains, and that it was a comprehensive collection. 

There's no wonder why Gmail appears more often than other email providers, as it is the world's largest email service provider. The collection, rather than a single event, represents a very extensive collection of compromised email and password pairs, which is exactly the kind of material that is used to generate credential-stuffing attacks, where criminals use recycled passwords to automate attempts to access their banking, shopping, and other online accounts. 

In addition to highlighting the dangers associated with unpublicized or smaller breaches, this new discovery also underscores the danger that even high-profile breaches can pose when billions of exposed credentials are quietly redirected to attackers. This newly discovered cache is not simply the result of a single hack, but is the result of a massive aggregation of credentials gathered from earlier attacks, as well as malware information thieves' logs, which makes credential-based attacks much more effective.

A threat actor who exploits reused passwords will have the ability to move laterally between personal and corporate services, often turning a compromised login into an entry point into an increasingly extensive network. A growing number organisations are still dependent on password-only authentication, which poses a high risk to businesses due to the fact that exposed credentials make it much easier for attackers to target business systems, cloud platforms, and administrative accounts more effectively. 

The experts emphasised the importance of adopting stronger access controls as soon as possible, including the generation of unique passwords by trusted managers, the implementation of universal two-factor authentication, and internal checks to identify credentials which have been reused or have previously been compromised. 

For attackers to be able to weaponise these massive datasets, enterprises must also enforce zero-trust principles, implement least-privilege access, and deploy automated defences against credential-stuffing attempts. When a single email account is compromised, it can easily cascade into financial, cloud or corporate security breaches as email serves as the central hub for recovering accounts and accessing linked services. 

Since billions of credentials are being circulated, it is clear that both individuals and businesses need to take a proactive approach to authentication, modernise security architecture, and treat every login as if it were a potential entry point for attackers. This dataset is also notable for its sheer magnitude, representing the largest collection of data Have I Been Pwned has ever taken on, nearly triple the volume of its previous collection.

As compiled by Synthient, a cybercriminal threat intelligence initiative run by a college student, the collection is drawn from numerous sources where stolen credentials are frequently published by cybercriminals. There are two highly volatile types of compromised data in this program: stealer logs gathered from malware on infected computers and large credential-stuffing lists compiled from earlier breaches, which are then combined, repackaged and traded repeatedly over the underground networks. 

In order to process the material, HIBP had to use its Azure SQL Hyperscale environment at full capacity for almost two weeks, running 80 processing cores at full capacity. The integration effort was extremely challenging, as Troy Hunt described it as requiring extensive database optimisation to integrate the new records into a repository containing more than 15 billion credentials while maintaining uninterrupted service for millions of people every day.

In the current era of billions of credential pairs being circulated freely between attackers, researchers are warning that passwords alone do not provide much protection any more than they once did. One of the most striking results of this study was that of HIBP’s 5.9 million subscribers, or those who actively monitor their exposure, nearly 2.9 million appeared in the latest compilation of HIBP credentials. This underscores the widespread impact of credential-stuffing troves. The consequences are especially severe for the healthcare industry. 

As IBM's 2025 Cost of a Data Breach Report indicates, the average financial impact of a healthcare breach has increased to $7.42 million, and a successful credential attack on a medical employee may allow threat actors to access electronic health records, patient information, and systems containing protected health information with consequences that go far beyond financial loss and may have negative economic consequences as well.

There is a growing concern about the threat of credential exposure outpacing traditional security measures, so this study serves as a decisive reminder to modernise digital defences before attackers exploit these growing vulnerabilities. Organisations should be pushing for passwordless authentication, continuous monitoring, and adaptive risk-based access, while individuals should take a proactive approach to maintaining their credentials as an essential rather than an optional task. 

Ultimately, one thing is clear: in a world where billions of credentials circulate unchecked, the key to resilience is to anticipate breaches by strengthening the architecture, optimising the authentication process and maintaining security awareness instead of reacting to them after a breach takes place.
Read more »
Stolen Credentials
Cybercrime Trends Cybersecurity Threats Dark Web Data Breach Digital Security Identity Protection Online Privacy Proton Research Stolen Credentials

Security Researchers at Proton Warn of Massive Credential Exposure


 

Data is becoming the most coveted commodity in the ever-growing digital underworld, and it is being traded at an alarming rate. In a recent investigation conducted by Proton, it has been revealed that there are currently more than 300 million stolen credentials circulating across dark web marketplaces, demonstrating how widespread cybercrime is. 

According to Proton's Data Breach Observatory, which continuously monitors illicit online forums for evidence of data compromise, there is a growing global cybersecurity crisis that is being revealed. In the year 2025, the Observatory has recorded 794 confirmed breach incidents. When aggregating these data, the number increases to 1,571, which amounts to millions of records exposed to the public in the coming years. 

One of the troubling aspects of the research is the pattern of targeting small and medium-sized businesses: cybercriminals have increasingly targeted these companies. Over half of all breaches were recorded at companies with between 10 and 249 employees, while 23% of breaches occurred in micro businesses with fewer than 10 employees. 

This report highlights a growing truth about the digital age: while businesses are racing to innovate and expand online, threat actors are evolving just as quickly. As a result, the vast internet architecture has become a vibrant market for stolen identities, corporate secrets, and business secrets. 

Security breaches are still largely hidden from the public eye for many organisations due to fear of reputational damage, financial losses, or regulatory scrutiny, so they remain reluctant to reveal them. This leaves the true extent of cybercrime largely hidden from the public eye. Using Proton's latest initiative, the company hopes to break down the silence surrounding this threat by tracking it to its source: the underground marketplaces that openly sell stolen credentials and personal data.

In doing so, Proton is continuing its quest to foster a safer, more private internet, which is a vital component of the company's mission. As an extension of the Proton VPN Observatory, which monitors global instances of government-imposed internet restrictions and VPN censorship in the form of government-imposed restrictions, the Data Breach Observatory extends that vigilance to track instances of cybercrime in the form of data breaches. 

Its creation, which is made in collaboration with Constella Intelligence, is an observatory that constantly scans the dark web for new breaches, analysing the types of data compromised, including passwords and personal identifiers, as well as financial records, and the number of accounts affected. 

Through real-time monitoring, Proton can alert victims as soon as a breach occurs, sometimes even before the breached organisation realises it is happening. The Proton platform provides transparent, publicly accessible insights into these security breaches, which are aimed at both educating users about the magnitude of the threat and discouraging organisations from concealing their security shortcomings. 

There is a policy of responsible disclosure at the heart of this initiative, which ensures that affected entities are informed in advance of any public announcement relating to the incident. This is an era that has been defined by data theft and corporate secrecy since the dawn of the digital age. Proton's proactive approach serves as a countermeasure, turning dark web intelligence into actionable preventative measures. 

With this initiative, the company not only reveals the hidden mechanics of cybercrime but also strengthens its reputation as a pioneer in digital transparency and empowerment for users, allowing businesses and individuals alike a better understanding of the shadowy forces that shape today's cybersecurity landscape, as well as the risks associated with it. 

In its latest research, Proton has provided a sobering assessment of the escalating cost of cybercrime to smaller businesses. There have been an estimated four out of five small businesses in recent months that have been affected by data breaches, and these attacks have often resulted in losses exceeding one million dollars. 

As part of the growing crisis surrounding data breaches, a Data Breach Observatory was established to identify breaches that often remain hidden until a significant amount of damage has been sustained. Proton constantly scans dark web marketplaces where stolen credentials are traded to deliver early warnings about potential breaches so that organisations can take steps to protect their data before attackers have an opportunity to exploit it further. 

Through the course of these investigations, a wide range of personal and financial details were uncovered, including names, dates of birth, email addresses, passwords, and physical contact information of those individuals. 

Almost all of these breaches have involved social security numbers, bank credentials, and IBAN details being exposed, which together represent an alarming combination that creates an extremely high likelihood of identity theft and financial fraud. 

It has been recorded by the observatory that several high-profile incidents will occur in 2025, such as the Qantas Airways breach in October that exposed more than 11.8 million customer records; Alleianz Life Germany in September, with more than one million compromised accounts; and the U.S. tech firm Tracelo that was breached by 1.4 million records earlier this year, while breaches at Free Telecom, a French company, and SkilloVilla, a Indian company, revealed 19 million records and 33 million records respectively, emphasizing the threat to be very global in nature. 

Security experts have always stressed the necessity of multi-factor authentication, as well as strong password management, as essential defences against credential-based attacks. Consequently, Proton reiterates this advice by advising businesses to regularly monitor their credentials for leaks and to reset passwords as soon as suspicious activity is detected. 

The company enables businesses to verify whether or not their data has been compromised through its public access observatory platform, which is a critical step toward minimising the damage done to a business before cybercriminals can weaponise the data stolen. This is done through the company's public observatory platform that is widely accessible. 

A stronger global security awareness and proactive cybersecurity practices are essential, and Proton's Data Breach Observatory confirms this need. Aside from the observatory's use as a crucial alert system, it is important to note that experts also emphasise that prevention is the best form of protection when it comes to securing information online. 

The Observatory stresses the importance of adopting layered security strategies, including the use of Virtual Private Networks (VPNs) that safeguard online communications and reduce the risk of interception, even in situations where users' data is compromised. By using its own Proton VPN, based on end-to-end encryption and the company's signature Secure Core architecture, traffic passes through multiple servers located in privacy-friendly jurisdictions, effectively masking users' IP addresses and shielding their digital identities from cybercriminals. The company is effectively protecting their digital identity from prying eyes. 

As a result of the robust infrastructure, the observatory continues to monitor across the dark web, and personal information remains encrypted and protected from the cybercriminal networks it monitors. Besides technical solutions, Proton and cybersecurity experts alike emphasise the importance of a set of foundational best practices for individuals and organisations who want to strengthen their defences. 

This is the best way to protect online accounts is to enable multi-factor authentication (MFA), widely recognised as the most effective method of preventing the theft of credentials, and to use a password manager whose function is to keep secure passwords for every online account. As part of regular breach monitoring, Proton's observatory platform can be used to provide timely alerts whenever credentials are discovered in leaked databases. 

In addition to fostering cybersecurity awareness among employees, companies must also create an incident response plan, enforce the principle of least privilege, and make sure that only systems that are essential to the role they are playing are accessible. Taking advantage of more advanced strategies, including network segmentation, enterprise-grade identity and access management (IAM) tools, such as Privileged Access Management (PAM), may allow for further containment and protection of critical infrastructure. 

These recommendations have been derived from the fact that credential theft is often based on exploited software vulnerabilities or weak configurations that are often exploited by hackers. An unpatched flaw—such as an API endpoint that is exposed or an authentication mechanism that is not working properly—can result in brute-force attacks or session hijacking attacks. 

Proton's exposure itself does not have any specific link to a vulnerability identifier; however, it indicates that there are still many systemic vulnerabilities which facilitate large-scale credential theft across many industries today. As a result of the importance of patching timely manner and implementing strict configuration management, businesses can significantly reduce the chances of attackers gaining access to their network. 

However, Proton’s research goes well beyond delivering a warning. It calls for action. The number of compromised accounts on dark web markets has increased by over 300 million, and we cannot afford to stay complacent. This study underscores that protecting one's data is not merely about technology, but about maintaining a proactive approach to cyber hygiene and continuous vigilance. 

A message Protoemphasises in this, when data is both a commodity and a target, it is clear: the key to digital safety lies in proactive defence, informed awareness, and collective responsibility. In an age when the digital landscape is becoming increasingly complex, Proton’s findings serve as a powerful reminder that cybersecurity is not an investment that can be made once but is an ongoing commitment. 

Organisations that take steps to ensure that their employees are informed and trained about cyber threats are better prepared to cope with the next wave of cyber threats. Several security measures, including encrypting infrastructure, conducting regular security audits, and continuously performing vulnerability assessments, can be taken to significantly reduce exposure, while collaborations between cybersecurity researchers and private firms can strengthen collective defences. 

Even though stolen data fuels a thriving underground economy in today's cyber world, the most effective defences against cybercrime remain vigilance and informed action.
Read more »
Web Hosting
Chinese Hackers Cyber Attacks Stolen Credentials UAT-7237 Web Hosting

Taiwanese Web Hosting Infrastructure Hit by UAT-7237

 

A recent report from Cisco Talos exposes a cyber intrusion by a suspected Chinese-government-backed hacking collective, tracked as UAT-7237, into a Taiwanese web hosting provider. The attackers aimed to steal credentials and implant backdoors, enabling persistent and covert access to sensitive infrastructure.

The outfit has been active at least since 2022, based on forensic analysis of a remote server hosting SoftEther VPN—a favored tool for maintaining their foothold. The chosen VPN's configuration indicated a preference for Simplified Chinese, hinting at the attackers' origins. 

Talos researchers believe UAT-7237 is a subgroup of the broader Chinese APT UAT-5918, which is notorious for targeting Taiwan's critical infrastructure and overlapping with other Chinese cyber gangs like Volt Typhoon and Flax Typhoon. Despite similarities, Talos distinguishes UAT-7237 by its unique operational tools and strategies. 

UAT-7237 predominantly deploys Cobalt Strike as its main backdoor implant, while UAT-5918 leans on Meterpreter-based reverse shells and a greater number of web shells for remote access. UAT-7237, in contrast, uses a selective approach, deploying fewer web shells and leveraging direct remote desktop protocol (RDP) access and SoftEther VPN clients. 

The report highlights that UAT-7237 exploits unpatched vulnerabilities on internet-facing servers for initial access. Once inside, the crew conducts quiet reconnaissance, seeking out valuable assets and setting up prolonged access. Their toolset blends custom and open-source software; notably, the SoundBill shellcode loader (based on VTHello, featuring decoy files from Chinese IM software QQ) is used for malware deployment. 

For privilege escalation, UAT-7237 employs JuicyPotato, a tool favored by Chinese-speaking hackers, while credential stealing is achieved through multiple methods—Mimikatz for extracting credentials, registry and disk searches, and further exploitation with BAT files. The ssp_dump_lsass project, found on GitHub, is also used to dump LSASS memory and steal credentials.

Network scanning is performed using FScan, allowing the group to map open ports on IP subnets and gather information about SMB services on target endpoints. Attackers then use stolen credentials to pivot laterally within the victim’s network, seeking further targets of interest. 

Although Talos has not revealed the full scope of UAT-7237’s campaign or disclosed the vulnerabilities exploited, the findings underscore the importance of patching exposed systems and maintaining vigilant security practices. The published indicators of compromise serve as practical tools for organizations facing similar threats.
Read more »
Stolen Credentials
Cyber Crime Data Theft Infostealer Russian Market Stolen Credentials

Russian Market Sells Millions of Stolen Credentials

 

The "Russian Market" cybercrime marketplace has developed as one of the most popular places for purchasing and selling credentials stolen by info stealer malware. Although the marketplace has been functioning for almost six years and has grown in popularity by 2022, ReliaQuest believes that the Russian market has lately reached new heights.

Part of this spike in popularity can be attributed to the Genesis Market's demise, which left a significant gap in the market. Although the bulk (85%) of credentials provided on the Russian Market are "recycled" from existing sources, it has attracted enormous cybercrime audiences due to its diverse range of commodities for sale and the availability of logs for as little as $2. 

An infostealer log is typically a text file (or numerous files) written by infostealer malware that contains account passwords, session cookies, credit card data, cryptocurrency wallet data, and system profiling data obtained from an infected device. 

Each log includes dozens or even thousands of credentials, bringing the total amount of stolen credentials to hundreds of millions or more. Once captured, the logs are sent to an attacker's server, where they are stored for future nefarious action or sold on marketplaces such as Russian Market. 

Infostealers have become a common tactic for attackers, with numerous campaigns now aimed at the enterprise to steal session cookies and corporate credentials. According to ReliaQuest, this is evident in the Russian market, where 61% of stolen logs include SaaS credentials from platforms such as Google Workspace, Zoom, and Salesforce. Additionally, 77% of the logs had SSO (Single Sign-On) credentials.

Lumma stumbles, Acreed rises

ReliaQuest analysed over 1.6 million posts on the Russian market to chart the growth and decrease in popularity of specific info theft malware. Until recently, Lumma stole the majority of logs, accounting for 92% of all credentials sold on the Russian market. 

Lumma ruled the market when Raccoon Stealer collapsed due to law enforcement action. Lumma may face the same fate, as its operations were recently stopped by a global law enforcement operation that resulted in the seizure of 2,300 domain names.

The long-term outcomes of this operation are unknown, but Check Point said that Lumma's creators are already working to rebuild and resume their cybercrime operations. 

Meanwhile, ReliaQuests reports a significant spike in popularity of a new infostealer named Acreed, which is quickly gaining traction following Lumma's elimination. Acreed's rapid rise in the Russian market is evidenced by the over 4,000 logs submitted in its first week of operation, according to Webz. 

Acreed is similar to a conventional info-stealer in that it targets data stored in Chrome, Firefox, and their derivatives, such as passwords, cookies, cryptocurrency wallets, and credit card information. 

Phishing emails, "ClickFix" attacks, premium software malvertising, and YouTube or TikTok videos are all used by info-stealers to infect consumers. To avoid this broad risk, it is recommended that you be vigilant and use good software download habits.
Read more »
Stolen Credentials
Credential Theft Cyber Security Cyber Threats initial access breaches Malware attacks Password Security Stolen Credentials

Rising Threat of Stolen Credentials and Initial Access Breaches

 

Weak or reused passwords continue to pose significant risks for organizations, as criminals increasingly exploit stolen credentials to access user accounts. This trend has fueled a thriving market for stolen credentials and the initial access they provide. The ENISA Threat Landscape 2023 report highlights a year-over-year growth in the Initial Access Broker (IAB) market, with credentials being the primary commodity for sale.

Stealer malware frequently infiltrates victim machines through social engineering tactics, primarily phishing, and sometimes through paid distribution schemes using the Emotet and Qakbot botnets. Other campaigns entice users to download seemingly legitimate software via malvertising.

ENISA anticipates that future social engineering campaigns will adapt to new defensive measures aimed at protecting credentials from abuse.

Increasing Challenges with Stolen Credentials
Organizations face growing challenges with stolen credentials. The Verizon 2024 Data Breach Investigation Report (DBIR) reveals a 180% increase in attacks exploiting vulnerabilities to initiate breaches compared to the previous year. Stolen credentials were the leading initial action in breaches, accounting for 24%, just ahead of ransomware at 23%.

Fraudsters employ various methods to steal credentials, including malware that steals passwords and sells them on the dark web. Popular tools for this purpose include Redline, Vidar, and Raccoon Stealer. The FBI has warned of cybercriminals using search engine advertisements to impersonate brands and direct users to malicious sites that host ransomware to steal login credentials.

Credentials can also be compromised through brute force attacks, where cybercriminals use tools to test password combinations until the correct one is found. These methods range from simple trial and error to more sophisticated dictionary attacks, exploiting common password choices.

Potential for Major Breaches
The Solarwinds attack, described by Microsoft Corp President Brad Smith as "the largest and most sophisticated attack the world has ever seen," exemplifies the potential danger of stolen credentials. A compromised SolarWinds password was discovered on a private Github repository, where an intern had set the password "solarwinds123" on an account with access to the company's update server.

Other notable examples include the Dropbox breach, which impacted millions of users. A Dropbox employee reused a password from a LinkedIn breach, where millions of passwords were accessed by thieves.

ENISA notes that while abusing valid accounts for initial access is not a new technique, it remains effective for cybercriminals. Misconfigured accounts and those with weak passwords are particularly vulnerable. Although multi-factor authentication (MFA) can prevent many attacks, it is not foolproof, with actors intercepting MFA codes and harassing users with push notifications.

ENISA expects credentials to remain a focal point for cybercrime actors despite technical protective measures, as these actors continually find ways around them.

Cybersecurity experts recognize the danger of stolen credentials and the necessity of strong security measures. However, complacency is not an option. The threat posed by stolen credentials is constantly evolving, necessitating ongoing adaptation.

Organizations must enforce the creation of strong passwords resistant to brute force attacks and other forms of exploitation. Specops Password Policy can help build robust password policies by:

  • Generating personalized dictionary lists to prevent the use of commonly used words within the company.
  • Providing immediate and interactive updates to users when changing passwords.
  • Restricting the use of usernames, display names, certain words, consecutive characters, incremental passwords, and repeating parts of previous passwords.
  • Applying these features to any GPO level, computer, individual user, or group within the organization.
  • Continuously scanning for and blocking over 4 billion compromised passwords, ensuring that breached passwords are found daily.
Increasing overall password security, enforcing good password hygiene, and eliminating weak passwords enhance the security of Active Directory environments and privileged accounts. Organizations must prepare their defenses by scanning for password vulnerabilities in Active Directory to detect weak and compromised passwords.
Read more »
Stolen Data
Customer Data Data Breach EasyPark Phone Parking Service RingGo Stolen Credentials Stolen Data

RingGo: Phone Parking Service Suffers Data Breach, Customer Data Stolen


UK-based pay-by-phone parking service – RingGo – has suffered a data breach, where information including partial credit card numbers of several of its customers has been leaked. 

The EasyPark-owned company informed that the data of at least 950 customers had been stolen by the hackers. The data included names, phone numbers, addresses, email addresses and parts of credit card numbers.

According to the company, the compromised information is “non-sensitive” and claims that “no combination of this stolen data can be used to perform payments.”

However, it has warned customers have been warned against phishing scams, where threat actors use stolen customer details to send them emails and text messages, that look convincing, in order to scam the target victims. 

While British customers were the least affected by the breach, data of thousands of Europe-based customers are feared to be compromised. It needs to be made clear as to who is behind the data breach. 

Easypark further informs that it was “reaching out to all affected customers.” Meanwhile, RingGo claims to be “UK’s number one parking app,” with over 19 million customers. 

Using the company's app, drivers pay for parking using their smartphones by providing information about their vehicle, like the license plate number, and payment information, like a credit or debit card.

The Information Commissioner's Office (ICO) in the UK and the corresponding European agency have received reports from Stockholm-based EasyPark, according to a Tuesday Guardian report.

According to a statement published on the company’s website, the attack first came to light on December 10: "The attack resulted in a breach of non-sensitive customer data."

“We deeply care about our customers and want to make sure you are fully informed about this incident […] Our security team, including external security experts, is working hard to ensure effective security and privacy measures are in place[…]We are deeply sorry this happened and will continue to work hard every day to earn your trust.”

Owned by private equity firms Vitruvian Partners and Verdane, the company has operations across 4,000 cities in 23 countries, encompassing most of western Europe, the US, and Australia. Since its founding in 2001, it has expanded via several acquisitions.  

Read more »
Vulnerabilties and Exploits
Android AutoSpill AutoSpill attack cybersecurity research Password Manager Stolen Credentials Vulnerabilties and Exploits

AutoSpill Attack Steal Credentials from Android Password Managers


Security researchers from the International Institute of Information Technology (IIIT) in Hyderabad, India, have discovered a new vulnerability with some Android password managers in which some malicious apps may steal or capture users’ data credentials in WebView. 

The threat actors carry out the operation particularly when the password manager is trying to autofill login credentials. 

In a presentation at the Black Hat Europe security conference, the researchers revealed that the majority of Android password managers are susceptible to AutoSpill even in the absence of JavaScript injection. 

How AutoSpill Works

WebView is frequently used in Android apps to render web content, which includes login pages, within the app, rather than redirecting users to the main browser, which would be more challenging on small-screen devices. 

Android password managers automatically enter a user's account information when an app loads the login page for services like Apple, Facebook, Microsoft, or Google by utilizing the WebView component of the platform. 

According to the researchers, it is possible to exploit vulnerabilities in this process to obtain the auto-filled credentials on the app that is being invoked. 

The researchers added that the password managers on Androids will be more vulnerable to the attack if the JavaScript injections are enabled. 

One of the main causes of the issue regarding AutoSpill is Android’s inability to specify who is responsible for handling the auto-filled data securely, which leaves the data vulnerable to leakage or capture by the host app.

In an attack scenario, the user's credentials could be obtained by a rogue app presenting a login form without leaving any trace of the breach.

Impact and Patch Work

Using Android's autofill framework, the researchers tested AutoSpill against a number of password managers on Android 10, 11, and 12. They discovered that 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are vulnerable to assaults.

It was found that Google Smart Lock 13.30.8.26 and DashLane 6.2221.3 had different technical approaches for the autofill process, wherein they did not compromise data to the host app unless JavaScript injection was used.

The researchers submitted their recommendations for fixing the issue along with their results to the security team of Android and the affected software manufacturers. Their report was accepted as legitimate, however, no information regarding the plans for rectifying it was disclosed.  

Read more »
Stolen Credentials
Cyber Fraud data security Fraudsters Safety Scam Stolen Credentials

The Infamous Cybercrime Marketplace Now Offers Pre-order Services for Stolen Credentials

 

In accordance with Secureworks, info stealer malware, which consists of code that infects devices without the user's knowledge and steals data, is still widely available for purchase through underground forums and marketplaces, with the volume of logs, or collections of stolen data, available for sale increasing at alarming rates. 

Between June 2021 and May 2023, the Russian market alone grew by 670%. “Infostealers are a natural choice for cybercriminals who are looking to rapidly gain access to businesses and then monetize that access,” said Don Smith, VP of threat research, Secureworks CTU. 

“They are readily available for purchase, and within as little as 60 seconds of installation on an infected computer will immediately generate a return on investment in the form of stolen credentials and other sensitive information. However, what has really changed the game, as far as info stealers are concerned, is improvements in the various ways that criminals use to trick users into installing them. That, coupled with the development of dedicated marketplaces to sell and purchase this stolen data, has really upped the ante,” added Smith. 

Researchers at Secureworks examined the most recent trends in the underground info stealer market, including how this sort of malware is growing more complex and harder to detect, offering a challenge to corporate network defenders. Among the key findings are:

The number of info stealer logs for sale on underground forums grows with time. The number of logs for sale on the Russian market alone surged by 150% in less than nine months, from two million on a single day in June 2022 to over five million on a single day in late February 2023.

The overall growth rate for the number of logs for sale on the Russian market was 670% over a roughly two-year period (measured on a single day in June 2021 and a single day in May 2023).

The Russian market continues to be the largest seller of info stealer logs. At the time of writing, Russian Market has five million logs for sale, which is around ten times more than its nearest competitor.t is well-known among Russian cybercriminals and is often utilized by threat actors globally. Recently, Russian Market has included logs from three new thieves, indicating that the site is adapting to the ever-changing e-crime scenario.

Raccoon, Vidar, and Redline remain the top three info stealer logs for sale. On a single day in February, the following logs, or data sets of stolen credentials, were for sale among these popular info stealers on the Russian Market:
  • The number of raccoons is 2,114,549.
  • Vidar: 1,816,800
  • The redline is 1,415,458.
The recent law enforcement effort against Genesis Market and Raid Forums has influenced the behavior of cybercriminals. Telegram has benefited from this, with more log buying and trading going to specialized Telegram channels for prominent stealers like RedLine, Anubis, SpiderMan, and Oski Stealer. Despite the arrests of several users and the removal of 11 domains affiliated with Genesis Market, the Tor site remains operating, with logs still for sale.

However, activity on the marketplace has nearly ceased, as criminals have begun debating the matter on underground forums, raising concerns about the platform's reliability. A rising market has evolved to address the demand for after-action solutions that aid with log parsing, a time-consuming and difficult operation that is often left to more experienced hackers.

As the number of info stealers and available logs grows, these tools are expected to become more popular and assist to decrease the entry barrier. The successful development and deployment of info stealers, like the overall cybercrime ecosystem, depends on individuals with diverse skills, jobs, and responsibilities. The growth of malware-as-a-service has encouraged developers to innovate in order to better their products and appeal to a broader spectrum of clients.

For example, Russian Market now allows customers to preorder stolen credentials for a certain organization, business, or program for a $1,000 deposit into the site's escrow mechanism. The pre-order service offers no guarantees but allows crooks to progress from opportunistic to targeted.

“What we are seeing is an entire underground economy and supporting infrastructure built around infostealers, making it not only possible but also potentially lucrative for relatively low skilled threat actors to get involved. Coordinated global action by law enforcement is having some impact, but cybercriminals are adept at reshaping their routes to market,” continued Smith.

“Ensuring that you implement multi-factor authentication to minimize the damage caused by the theft of credentials, being careful about who can install third-party software and where it is downloaded from, and implementing comprehensive monitoring across host, network and cloud are all key aspects of a successful defense against the threat of infostealers,” concluded Smith.

Phishing, compromised websites, malicious software downloads, and Google advertisements can all be used to install info stealers on a computer or device. Stolen credentials accounted for nearly one-tenth of the incident response engagements Secureworks was involved in 2022, and were the initial access vector (IAV) for more than a third (34%) of ransomware engagements from April 2022 to April 2023.
Read more »
Stolen Credentials
Cyber Attacks FBI Residential Proxies Stolen Credentials

Proxies and Configurations Used for Credential Stuffing Attacks

 


About the attack

Threat actors are actively hacking home IP addresses to conceal credential stuffing attacks and boost their chances  of successful conduct, FBI alerts. 

Credential stuffing is a famous method of account hijacking where hackers use large lists of compromised login credentials combos and use them across various websites and apps aggressively to check if they're working. We all know that some users reuse same passwords, so the trick usually works. 

How are stolen credentials used?

Working credentials are then sold to others for early access. FBI said the config may include the website address to target, how to form the HTTP request, how to differentiate between a successful vs unsuccessful login attempt, whether proxies are needed, etc. 

In addition, cracking tutorial videos available via social media platforms and hacker forums make it relatively easy to learn how to crack accounts using credential stuffing and other techniques.

Leveraging proxies and configurations automates the process of attempting logins across various sites and facilitates exploitation of online accounts. 

Who are the victims?

In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts. 

The Australian Federal Police and FBI discovered two websites having more than 300,000 sets of credentials attained via credential stuffing. 

How many users affected?

The sites had more than 175,000 registered users and made around $400,000 in sales. But website admins can notice any malicious activity if they know what to look for. At this point comes the role of residential proxies. 

Cyber criminals may also target a company’s mobile applications as well as the website. Mobile applications, which often have weaker security protocols than traditional web applications, frequently permit a higher rate of login attempts, known as checks per minute (CPMs), facilitating faster account validation.

Experts believe that by breaching home routers or other connected tech, hackers can focus their attempts through benign looking IPs to evade network defenders.

Existing security protocols can't flag or restrict residential proxies as often as proxies linked to data centers. Along with combo lists, threat actors purchase 'configs' or configurations, and other tools on dark forums to increase the success rates. 

Read more »
VPN
Cyber Security FBI Stolen Credentials US College VPN

FBI Warns of Hackers Selling US College VPN Credentials on Underground Forums

 

Threat actors are advertising network credentials and virtual private network (VPN) access for colleges and universities based in the United States on underground and public criminal marketplaces. 

Last week, the Federal Bureau of Investigation (FBI) issued an advisory regarding usernames and passwords giving access to colleges and universities based in the U.S. that are put up for sale on Russian cybercriminal platforms. The price of stolen credentials varies between a few U.S. dollars to thousands. 

Hackers use several tactics such as ransomware and spear-phishing, to execute credential harvesting attacks and sell them on Russian hacking forums. The credentials allow hackers to launch brute-force attacks to infiltrate into victim accounts spanning different accounts, internet sites, and services. 

"If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations," the FBI warned. 

Last year in May, the agency said it identified more than 36,000 email and password combinations for email accounts ending in the ".edu" domain publicly available on an instant messaging platform posted by a group that specialized in the trafficking of stolen login credentials. 

According to Emsisoft threat analyst Brett Callow, 10 of the 13 attacks on colleges this year involved data exfiltration. Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas, Florida International University, and Stratford University are just a few of the schools impacted by ransomware this year. 

Security tips 

The FBI advises academic institutions to liaise with their local FBI Field Office and update their incident response and communication plans. Implementing brute-force protection, training sessions for students and faculty to identify phishing attempts, using strong, unique passwords, and multi-factor authentication are regular recommendations that are valid for all organizations. 

"Universities, especially, should be providing students and staff with training to spot convincing phishing emails and the steps to undertake when opening various attachments or emails. Students are an easy target because unlike in a work environment, they often lack the necessary understanding to spot these types of attacks," stated Steven Hope, CEO, and co-founder of password management firm Authlogics.
Read more »
Subscribe to: Comments (Atom)