It’s not just your perception, cybercrime is increasing dramatically. At Flare we’ve identified a 112% increase in data extortion ransomware attacks in 2023 compared to 2022, and continue to see increasing activity in the cybercrime ecosystem.
One of the most underappreciated trends that is driving this dramatic increase is the compromise of enterprise single sign on (SSO) applications as part of infostealer malware attacks.
What is a “Stealer Log”?
Infostealer malware has quickly become one of the most pernicious but unknown threats to enterprise organizations. Infostealers are a type of Remote Access Trojan (RAT) that infect a victim’s computer and steal all of the credentials, session cookies, and form fill information saved in the browser.
The malware then sends this data to a specialized backend and self terminates, leaving little trace on the victim machine.
Threat actors can then leverage this data to launch account takeover (ATO) attacks, compromise bank accounts, and in some cases, compromise corporate IT environments.
We see around one million new stealer logs distributed every month, with an estimated three to five % containing credentials and session cookies to corporate IT environments.
Stealer Logs and Telegram
Telegram acts as the linchpin for the entire stealer log lifecycle. Threat actors can easily purchase access to infostealer malware with attendant command and control (C2) infrastructure in dedicated Telegram channels for a fixed monthly price.
Threat actors then distribute infostealer malware and leverage Telegram as the backend where fresh “logs” are delivered upon successful infection. Finally these log files are then distributed in public and private Telegram channels to other threat actors.
Private channels are where we believe most of the “high value” logs are sent to, including those with banking access and corporate IT environment access while lower value and older logs are distributed in public channels.
Private channels operate as paid commercial enterprises, with the channel owner distributing tens of thousands of logs per week to a limited number of threat actors who pay $200-$400 for access to the channel.
This allows them to get “first pick” of stealer logs, which are likely eventually distributed through public Telegram channels.
Stealer Logs and Single Sign On
Single sign on (SSO) solutions have emerged as a foundational pillar of corporate cybersecurity. SSO tools streamline authentication, allow organizations to enforce multi-factor authentication (MFA), enhance compliance measures, and offer a unified avenue for overseeing application access.
However, there’s a flip side; SSO solutions can also be an organization’s Achilles’ heel. In a recent project at Flare, we scrutinized five widely-used corporate SSO providers by examining over 22 million stealer logs.
Our findings revealed a staggering 312,855 corporate SSO application domains in publicly available stealer logs. Even accounting for expired session tokens, the risk magnitude is immense. We categorize the threats as:
- Stealer logs potentially housing credentials and active session tokens for SSO tools. This makes it feasible for malicious entities to access the accounts directly.
- Even if session cookies are no longer valid, stealer logs may contain browser’s “auto-fill” data, which gives threat actors details like employee identification numbers, home addresses, security question answers, credit card details, and more. This data can be manipulated to trick help desk staff into releasing 2FA and MFA codes.
- These logs also store vast personal details about staff, including sensitive information like credentials for adult content sites, bank details, and social media accounts. This data can be weaponized as blackmail material.
In some observed attacks targeting SSO-utilizing entities, there’s evidence suggesting attackers already possessed the SSO credentials, making their deceptive schemes significantly more straightforward.
It’s crucial to underscore the immense potential stealer logs present for social engineering tactics.
Whether through active session cookies or social engineering, once the SSO access is compromised, threat actors can leverage said access to compromise a multitude of services essentially simultaneously.
This vector can be particularly appealing to an initial access broker (IAB) looking to establish a foothold in an organization’s IT infrastructure, which would then be auctioned off to the highest bidder, oftentimes believed to be ransomware operators or affiliates.
Overall, using SSO as this unified, streamlined, centralized authentication process does not come without its flaws and potential vulnerabilities, of which threat actors are fully aware.
This highlights the importance of preventing users from accessing SSO services on a personal or unauthorized device, as the risk of infection is unequivocally higher on a device that is not managed by IT.
This attack pipeline highlights the need for a reliable and comprehensive monitoring tool with visibility into stealer logs shared on Telegram; early detection of a compromise can help prevent potential cyber-disasters.
Detect & Remediate Stealer Logs with Flare
Flare is a SaaS platform that delivers high-value, tailored threat exposure management to organizations. Flare detects threats across hundreds of dark web markets & forums, thousands of illicit Telegram channels, and clear web sources of risk.
Our SaaS platform integrates into your existing security program in 30 minutes with native integrations that enable you to build a threat led cybersecurity program. Sign up for a free trial to learn more.
Sponsored and written by Flare.