Guest blog courtesy of Flare.
Breached identities, facilitated by infostealer malware, pose a formidable challenge to corporate information security in 2024. To understand the gravity of this threat, it is essential to first grasp what infostealers are. Infostealer malware is a type of remote access trojan (RAT) that infiltrates a user’s system and exfiltrates a variety of sensitive data, including:
- Credentials saved in browsers
- Session cookies
- Browser history
- Crypto wallet information
- Screen captures of the victim’s display
- Host data
With numerous direct infostealer variants and other malware types that possess similar data-stealing capabilities, the threat landscape is vast. Once a user is compromised, the stolen data is packaged and transmitted to command and control (C2) infrastructures. Here, threat actors exploit easily accessible resources, such as bank accounts linked to active session cookies and crypto wallets, to swiftly monetize their gains.
Interestingly, the individuals orchestrating these infections often do not utilize the stolen credentials directly. Instead, they monetize breached identities by distributing them through Telegram channels. These actors typically maintain public channels where they offer older logs as “samples” to entice potential buyers, subsequently charging between 0 to 0 per month for access to private channels featuring more recent logs.
How Infections Happen
Analysis of infostealer screenshots reveals critical insights into the infection vectors. A significant number of infections arise from users downloading cracked software. However, other common sources include:
- Malicious advertising (malvertising)
- Fake “Windows update” scams
- “Free gift card” scams
One particularly prevalent source of infections is “repackaged games.” These are compressed versions of video games that have been modified to reduce file size while retaining core functionality. During this repackaging process, malicious packages, including infostealers, can be integrated. Victims may be prompted to disable their antivirus software post-download, although many infostealer variants can circumvent certain antivirus protections. This is illustrated in a screenshot where a user is instructed by the malware to disable antivirus to complete installation.
Unlike many other malware types, infostealers do not necessitate local administrative privileges, making them particularly insidious as they require minimal user intervention to execute successfully.
Threat Actors’ Use of Infostealers
Most threat actors are not specifically targeting corporations; rather, they seek to make quick profits by breaching bank accounts, pilfering from crypto wallets, or making unauthorized purchases through compromised e-commerce accounts. Infostealers predominantly target session cookies, allowing threat actors to bypass multi-factor authentication (MFA) controls, especially when session cookie time-to-live (TTL) settings are high. This creates an appealing alternative to traditional password dumps.
In many instances, threat actors also seek out credentials for commonly used subscription services, such as Netflix, NordVPN, and Hulu, which can be exploited without the victim’s awareness. We have observed instances where infostealer backends highlight these “high-value” credentials, simplifying the identification process for potential account takeovers.
Infostealers and Corporate Access
While the primary use of infostealers revolves around personal credentials, threat actors also actively pursue valuable corporate credentials. We have documented cases where initial access brokers—those who compromise companies and sell access to other malicious actors—acquire hundreds of thousands of stealer logs to pinpoint corporate access credentials.
In our research, we examined 50 recent companies that experienced data breaches, utilizing publicly available information. We then cross-referenced this data with Flare’s stealer log database to extract two key metrics:
- Percentage of companies with corporate credentials leaked: Organizations that had at least one corporate email (@companyname.com) identified in a stealer log since Flare began its collection.
- Percentage of companies with corporate credentials leaked within six months of a breach: Organizations that had a stealer log detected within six months before or after a breach.
The findings were striking:
- 90% (45/50) of breached companies had previously leaked corporate credentials in a stealer log.
- 78% (39/50) of breached companies had corporate credentials leaked in a stealer log within six months before or after the breach.
To contextualize these findings, we compared them with 50 “sister companies” that did not report breaches but were similar in size, revenue, and industry. Our evaluation revealed:
- 76% (38/50) of sister companies had experienced a corporate stealer log compromise at some point.
- 68% (34/50) of sister companies that had not suffered a breach had a stealer log with compromised employee credentials in the past 12 months.
These statistics underscore a troubling reality: 83% of companies surveyed across various sizes and industries had corporate credentials exposed, a significant increase from previous research indicating that only 19.6% of healthcare organizations had compromised corporate credentials due to infostealer malware.
Our investigation specifically targeted compromised email accounts within the logs, excluding educational institutions and certain telecom providers where consumer use of organizational domains is common. Among the corporate logs reviewed, we identified numerous high-criticality credentials, including:
- login.microsoft.com
- companyname.slack.com
- companyname.okta.com
- sso.companyname.com
- adfs.companyname.com
In many cases, a single user had access to multiple corporate credentials spanning various SaaS applications, internal systems, and other critical corporate technologies.
Infostealers: An Increasing Risk
As previously mentioned, the primary goal of threat actors is not to launch mass infostealer attacks specifically targeting corporate credentials. Instead, the theft of corporate credentials emerges as a valuable byproduct of the broader theft of consumer credentials. Nevertheless, there is substantial evidence that ransomware groups, initial access brokers, and other malicious actors are meticulously combing through infostealers to uncover corporate access.
If the surge of infostealer malware were viewed as a singular event, it might be regarded as the largest breach in history. While other breaches may have involved more individual records, such as the Equifax breach, infostealers encompass a far broader array of data. Stealer logs can include not only sensitive personal information but also browser history and saved credentials, providing a comprehensive view of an individual’s digital footprint. On average, we process 500,000 unique stealer logs weekly, each containing thousands to hundreds of thousands of unique data points about individuals or families.
Recommendations
To mitigate the risks associated with infostealer malware, organizations should prioritize monitoring for infections that may compromise corporate credentials. We recommend the following strategies:
- Restricting download privileges: Limit software download and installation capabilities to a select group of users. Implement application whitelisting to block unauthorized software, a common source of infostealer infections.
- Don’t share your corporate computer: Many infections occur when work computers are shared with family members.
- Don’t access illegal content: Avoid downloading stolen or “repackaged” applications, such as cracked software, which are frequent infection vectors.
- Disabling macros by default: Ensure that macros are disabled by default in all Office applications, as infostealers can be delivered through malicious documents. Educate users on the risks of enabling macros from untrusted sources.
- Regularly updating and patching software: Keep all software, including browsers and plugins, up to date with the latest security patches.
- Monitoring browser extensions: Restrict the installation of browser extensions, which can serve as delivery mechanisms for infostealers. Regularly audit installed extensions and remove any that are unnecessary or unapproved for business operations.
Stealer Logs and Flare
The Flare Threat Exposure Management (TEM) solution equips organizations with the tools to proactively detect, prioritize, and mitigate exposures commonly exploited by threat actors. Our platform continuously scans both the clear and dark web, as well as illicit Telegram channels, to uncover unknown events, prioritize risks, and provide actionable intelligence for immediate security enhancements.
Flare seamlessly integrates into your security program within 30 minutes and often replaces multiple SaaS and open-source tools. To explore how Flare can enhance your security posture, consider signing up for our free trial.
