Tuesday, November 12, 2024
HomeCyber CrimeResearchers Detailed Credential Abuse Cycle

Researchers Detailed Credential Abuse Cycle

Published on

Malware protection

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them to gain unauthorized access. This can lead to data breaches, identity theft, and financial loss across diverse industries and geographic locations.

Compromised credentials pose a significant security risk primarily due to data breaches and user negligence. In Q3 2024, they accounted for 75% of DRP alerts, highlighting the urgency of understanding and mitigating these threats. 

Infostealers, like LummaC2, RedLine, and Raccoon, silently infiltrate systems to steal sensitive data using techniques like keylogging, form grabbing, and session hijacking, which pose significant risks to businesses worldwide, as stolen credentials often end up on cybercriminal marketplaces before detection.

- Advertisement - SIEM as a Service

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

RedLine infostealer activity halted after a law enforcement takedown in late October 2024.

However, a resurgence is expected shortly. To mitigate risks, users should avoid browser-stored passwords and employ password managers, while security teams should monitor outbound network traffic for C2 communication. 

Humans inadvertently expose sensitive data through misconfigurations, accidental sharing, or uploading to public repositories, leading to data breaches that can be just as harmful as malicious attacks.

An unintentional VirusTotal upload exposed confidential customer data, potentially compromising additional sensitive information. This highlights the risks of third-party tool usage and the need for robust data handling practices, even within legitimate platforms.

Telegram’s user-friendly interface and lenient moderation policies make it a popular platform for cybercriminals to easily buy, sell, and share stolen credentials, expanding the reach of potential attackers.

Despite recent efforts to remove illegal content, it remains a popular platform for cybercriminals. Credential leak services continue to thrive on the platform, facilitated by third-party services and active promotion on cybercriminal forums. 

An XSS user lists stealer log Telegram channels in response to a request from another user
An XSS user lists stealer log Telegram channels in comebackto a request from another user

A recent analysis by ReliaQuest demonstrates Telegram’s continued use by cybercriminals, despite Durov’s arrest, where threat actors remain undeterred, utilizing the platform to share contact details and conduct illicit activities.

Telegram’s dynamic nature, characterized by rapid credential sharing and channel turnover, hinders effective tracking and mitigation of stolen credentials exposure, posing significant business challenges.

Cybercriminal forums like XSS, Exploit, BreachForums, AggressorDB, and UFOLABS offer free and paid breached email-password combinations from various hacks. These combinations are repeatedly listed and reused, posing a persistent threat to online security.

Example of a log sales post on Russian Market
Example of a log sales post on Russian Market

Russian Market, a specialized cybercrime marketplace, sells compromised credentials with detailed information about their origin. It offers a professional, streamlined purchasing process and a reliable supply of fresh data, making it a popular choice for threat actors.

Stolen credentials enable threat actors to compromise networks through valid account abuse and credential stuffing, which can lead to data exfiltration, extortion, and other malicious activities. Campaigns like UNC5537, which targeted Snowflake instances, demonstrate this.

Threat actors abuse stolen credentials to gain unauthorized access, blend in with expected user behavior, and execute malicious activities like data theft and ransomware deployment, evading detection and increasing dwell time.

Credential stuffing attacks exploit password reuse and data leaks to compromise accounts. Attackers use automated tools to test stolen credentials on various platforms, potentially leading to unauthorized access to sensitive information and internal systems.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has...