SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

ReliaQuest warns of ongoing threat from credential abuse

Fri, 8th Nov 2024

ReliaQuest has published a comprehensive analysis of the credential abuse cycle, focusing on the theft, trade, and exploitation of usernames and passwords across criminal forums and encrypted apps such as Telegram.

The report comes on the heels of the recent law enforcement takedown of the infostealer RedLine. ReliaQuest indicates that while RedLine was ranked as the second most common infostealer in 2023, with a 44% increase in listings from Q3 to Q4, its activity has currently paused. However, ReliaQuest anticipates that RedLine may resume operations shortly, perhaps within one to three months, as law enforcement actions often only temporarily disrupt cybercriminal activities.

The report also highlights that, in Q3 2024, credential exposure alerts accounted for 75% of all alerts across ReliaQuest's customer base, underscoring the significant threat posed by compromised credentials. The Russian Market is identified as the predominant source for stolen credentials, offering detailed information about the origins of leaked data, including the type of infostealer used and the location of the theft.

Despite Telegram's founder Pavel Durov pledging to remove "problematic content" and comply more proactively with government requests, cybercriminal activities persist on the platform. An analysis of the XSS forum posts revealed that nearly all mentions of "Telegram" included user contact details, indicating that threat actors remain undeterred by recent developments.

Leaked credentials, ranging from usernames to passwords, often fall into the wrong hands through various means, including malware, phishing attacks, and even user negligence. For cybercriminals, these credentials provide easy access to infiltrate networks and secure critical data, potentially leading to account takeovers, identity theft, financial losses, and data breaches, affecting all sectors.

The report provides various insights into the mechanisms of credential theft, including infostealers, which surreptitiously collect personal, financial, and business data from compromised systems. From Q3 to Q4 2023, a 30.5% rise in marketplace listings for "stealer logs" was observed, marking the impact of widely used infostealers like 'LummaC2', RedLine, and 'Raccoon'.

In October 2024, RedLine's infrastructure, along with that of 'Meta' infostealer, was dismantled by international law enforcement, revealing charges against one of RedLine's developers. Yet, historical trends suggest RedLine might resume its operations soon.

ReliaQuest advises users to use dedicated password managers instead of storing credentials within browsers and recommends that security teams monitor outbound traffic to identify potential compromised systems promptly.

Data breaches, both targeted and accidental, are highlighted for their role in enabling credential theft and sales on illicit platforms. Interestingly, accidental breaches caused by human errors were noted to be significant, making up a substantial portion of breaches reported to the UK Information Commissioner's Office between 2019 and 2023.

Once credentials are stolen, they are often traded on cybercriminal forums, specialised marketplaces like the Russian Market, and messaging apps such as Telegram, making them accessible to many threat actors.

The report delves into the operation of these credentials in cybercriminal marketplaces, noting that platforms like Russian Market stand out for their detailed logs of compromised credentials, sold typically for USD $10 per log.

Stolen credentials are then exploited for network intrusion and other malicious activities. This includes financially motivated campaigns, such as one executed by 'UNC5537', which targeted Snowflake customer database instances. Credential abuse is identified in up to 36% of true-positive alerts in Q3 2024, emphasising its prominence among cyber threats.

Credential stuffing, another technique, takes advantage of password reuse across different accounts, allowing attackers to access additional systems using breached data.

ReliaQuest predicts that while transitioning to technologies like 'passkeys' might strengthen security, traditional credential abuse methods will remain prevalent for the foreseeable future.

The combined efforts of ReliaQuest's GreyMatter and GreyMatter DRP solutions aim to bolster defences against these threats by monitoring dark web forums and specialised marketplaces to identify risks and secure accounts.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X