Threat actors actively seek account credentials to gain unauthorized access to critical data, which are often acquired through data breaches, malware infections, or user error.
Once they have been stolen, they are traded on a variety of platforms, such as speciality marketplaces, messaging apps like Telegram, and forums that are dedicated to cybercriminals.
Infostealers, like RedLine and LummaC2, are on the rise, stealing sensitive data, including credentials, which often infiltrate systems via phishing or compromised websites, using techniques such as keylogging, form grabbing, and screen capturing to extract information.
A recent takedown of RedLine’s infrastructure temporarily halted its operations, but it’s expected to resume soon. To mitigate risks, businesses should avoid browser-stored passwords, use password managers, and monitor outbound traffic for signs of compromise.
Data breaches continue to be a significant threat, even when robust defenses are in place, because malicious actors continue to exploit vulnerabilities, steal sensitive information, and then sell it on the dark web.
Accidental breaches, often caused by human error, are equally damaging, exposing personal data and compromising organizational security. Third-party relationships further complicate the issue, as organizations can’t guarantee the security practices of their partners, increasing the risk of data exposure.
Telegram remains a popular platform for threat actors to buy and sell stolen credentials, despite recent changes in its terms of service and increased law enforcement scrutiny, which is due to its user-friendly interface, lack of account approval processes, and the difficulty in tracking and monitoring channels.
There is a significant risk that businesses face as a result of the fact that cybercriminals continue to use Telegram for the purpose of sharing and selling data that has been compromised.
Cybercriminal forums like BreachForums and XSS exploit and specialized platforms like AggressorDB and UFOLABS offer stolen credentials for free and paid. Russian Market, a specialized Russian platform, sells logs of compromised credentials with detailed information about their origin.
According to ReliaQuest, credentials that have been stolen pose a significant risk to the security of a network because they can be exploited by malicious actors using a variety of techniques, such as valid account abuse and credential stuffing.
Valid account abuse involves gaining unauthorized access to legitimate accounts to move laterally within a network, while credential stuffing uses stolen credentials from unrelated breaches to access target accounts, allowing attackers to bypass security measures, steal sensitive data, and launch further attacks.
To mitigate these risks, organizations must implement strong password policies, multi-factor authentication, and monitor for suspicious login activity, while staying informed about the latest threat trends and implementing proactive security measures can help protect against credential-based attacks.
