October 18, 2023 at 11:16AM
Cybercrime, specifically data extortion ransomware attacks, is increasing dramatically. Stealer logs, which are logs containing stolen credentials and session cookies, are being distributed through Telegram channels and pose a significant threat. Single sign-on (SSO) applications used by enterprises are being compromised, exposing sensitive information and making social engineering tactics easier. It is crucial to prevent unauthorized device access to SSO services and to have effective monitoring tools to detect and remediate stealer logs. Flare is a SaaS platform that offers threat exposure management and can help organizations detect and prevent cyber threats.
Takeaway 1: There has been a significant increase in cybercrime, particularly data extortion ransomware attacks, in 2023 compared to 2022. Flare has identified a 112% increase in these types of attacks.
Takeaway 2: One of the driving factors behind this increase is the compromise of enterprise single sign-on (SSO) applications as part of infostealer malware attacks.
Takeaway 3: Infostealer malware, specifically Remote Access Trojans (RATs), infect victims’ computers and steal credentials, session cookies, and form fill information from browsers. This data is then sent to a backend server, and the malware self terminates to avoid detection.
Takeaway 4: The stolen data, known as stealer logs, can be used by threat actors for account takeover attacks, compromising bank accounts, and even compromising corporate IT environments. Approximately one million new stealer logs are distributed every month, with 3-5% containing credentials and session cookies for corporate IT environments.
Takeaway 5: Telegram is a key platform for the distribution of stealer logs. Threat actors can purchase access to infostealer malware on dedicated Telegram channels, and fresh logs are delivered through Telegram upon successful infection. Private channels are where high-value logs, including those with banking and corporate IT access, are sent to a limited number of paying threat actors.
Takeaway 6: Corporate SSO solutions are a crucial pillar of cybersecurity but can also be a vulnerability. Flare’s analysis of over 22 million stealer logs revealed over 312,000 corporate SSO application domains in publicly available logs, posing a significant risk. Stealer logs can contain SSO credentials, auto-fill data, and personal details that can be weaponized for social engineering.
Takeaway 7: Compromised SSO access allows threat actors to simultaneously compromise multiple services and can be attractive to initial access brokers looking to sell access to the highest bidder, often ransomware operators.
Takeaway 8: The use of a reliable and comprehensive monitoring tool, such as Flare’s SaaS platform, is crucial in detecting and remedying stealer logs shared on Telegram. Early detection can help prevent cyber-disasters.
Takeaway 9: Flare is a SaaS platform that offers tailored threat exposure management to organizations. It detects threats across dark web markets, illicit Telegram channels, and clear web sources of risk. The platform integrates into existing security programs and offers native integrations to build a threat-led cybersecurity program.