Compromission de profils utilisateurs

The explosive growth of infostealer malware has been a major trend of the past four years. What even is an infostealer? Once they infect computers, they can steal information stored in the browser such as saved passwords, form fill data, and session cookies, then exfiltrate them to a dedicated C2 infrastructure. 

The infostealer infects devices and steals the information stored in the browser, such as saved passwords. The stealer log references the stolen sensitive information, and threat actors sell them in marchés du dark web and prominent threat actor communities. Not only are stealer logs already a concerning external risk on their own, but they can also contain credentials for access to corporate IT environment, which security teams must prevent and remediate.

Dans notre research on stealer logs, we’ve found there are about 3-10% of stealer logs with credentials to corporate SaaS applications. 

Threat actors have various ways of exploiting stealer logs, and monitoring for them is an essential part of boosting your organization’s cybersecurity posture. 

How Flare Addresses the Threat of Stealer Logs

How does Flare monitor for stealer logs?

Looking through illicit sources manually can be incredibly difficult, and searching for stealer logs relevant to your organization makes that search even more challenging.

Flare de Gestion de l'exposition aux menaces (TEM) solution automatically monitors the clear & dark web to deliver prioritized actionable intelligence on external threats, including stealer logs. 

We are tracking more than 65 million stealer logs with over 1.3 million new stealer logs per week.

To learn more about stealer logs and corporate access, read the report on Journaux des voleurs, authentification unique et nouvelle ère de la cybercriminalité en entreprise.

Stealer Log Landscape: Brief Overview

Que sont les journaux de vol ?

Stealer logs are files created by infostealer malware that records sensitive information from a victim’s computer. This malware is designed to stealthily infiltrate a user’s system and log various types of personal and confidential data. The “logs” in this context refer to the records of the data that the malware has captured from the infected system. Common variants include Redline, Aurora, Raccoon, Titan, and Vidar. One stealer log contains an average of 50+ active credentials to personal and corporate websites. 

Why are stealer logs concerning? 

Stealer logs are concerning because they contain a wealth of personal and sensitive information. This data can include even more than login credentials, such as: financial information, personal identification details, and more. The unauthorized access and potential misuse of this information pose significant privacy and security risks to individuals and organizations.

Stealer logs can be directly leveraged as the initial access point for ransomware. Courtiers en accès initial can also buy stealer logs in bulk to best identify which could serve as the initial access into corporate IT environments.  

Selon nos research on the healthcare sector, more than 50% of organizations in healthcare regardless of size had an infostealer infection leak credentials in the past six months, and 10% had multiple infostealer leaks.

What information do stealer logs capture?

  • L'empreinte digitale du navigateur Web (y compris tous les mots de passe et formulaires enregistrés dans le navigateur)
  • Informations sur le système d'exploitation
  • Informations sur le FAI
  • Connexions au portefeuille de crypto-monnaie
  • Fichiers potentiellement confidentiels ou sensibles 

What is the evolution of stealer logs?

The evolution of stealer logs mirrors the broader trends in malware development. Initially simple keyloggers, these tools have evolved into sophisticated software capable of bypassing advanced security measures. Modern stealer logs can now target specific applications, use advanced data exfiltration methods, and even include functionalities for spreading to other systems.

Where do threat actors buy and sell stealer logs?

Prominent threat actor communities and dark web forums and markets facilitate the sale of stealer logs. Threat actors profit off of or build up their reputation by distributing these stealer logs. 

Qu'est-ce qu'un logiciel malveillant Infostealer ?

Automatisez la gestion de votre exposition aux cybermenaces

Intégrez en 30 minutes la base de données sur la cybercriminalité la plus accessible et complète au monde dans votre programme de cybersécurité.

Information stealer malware, or infostealer malware, is a form of Remote Access Trojan, malware that collects and sends victim’s sensitive information to the malicious actor. Infostealer malware infect computers through social engineering methods such as phishing attacks and steal the browser fingerprint, which contains passwords saved to the browser along with form fill data. Infostealer variants include RedLine, Raccoon, Vidar, and more.

Threat actors sell infostealer malware with command and control infrastructure for as low as $100 per month, which is relatively inexpensive. This lowers the barrier for entry for cybercriminals.

Infostealer malware can be purchased for as cheap as $100 per month complete with command and control infrastructure, creating a low barrier of entry for threat actors.

Les panneaux de logiciels malveillants Infostealer tels que RedLine analysent automatiquement les journaux et appellent des informations d'identification de grande valeur telles que les applications de services bancaires et financiers.

Why Do You Need to be Monitoring for Stealer Logs?

What are the risks associated with stealer logs?

The risks associated with stealer logs include identity theft, financial loss, unauthorized access to private and corporate networks, data breaches, and reputational damage. 

Employees often save passwords to their browsers, which are highly susceptible to infostealer malware attacks. Courtiers en accès initial target stealer logs with access to CRMs, RDP, VPNs, cloud hosting platforms, SaaS application access, and other corporate devices. They can exploit and expand access before reselling in dark web forums. 

Threat actors highly value financial accounts, as they can directly steal from consumer accounts. According to our research, stealer logs with financial data sells for an average of $112 on Genesis Market, compared to the average of about $15 across all logs for sale. 

The panels that the C2 infrastructure exfiltrates the stealer logs to make it easy to identify “high value logs.” These have active session cookies and credentials to corporate SaaS apps such as Okta, Jumpcloud, Auth0 etc. 

How do cybercriminals use stealer logs?

Threat actors use stealer logs in several ways: 

  • The most direct use is to exploit the stolen information for financial gain, such as using stolen credit card details. 
  • They can also use the information to gain unauthorized access to other systems.
  • Sell the information to other criminals.

Best Practices for Preventing, Detecting, and Remediating Stealer Logs

What are recommendations for mitigating risk from stealer logs?

Stealer logs provide a relatively easy way for cybercriminals to access corporate IT environments. Organizations can prevent, detect, and remediate stealer logs through implementing these measures:

  • Gestionnaires de mots de passe: Policies that encourage employees to not save their passwords in the browser eliminate a significant amount of risk.
  • AMF : Multi-factor authentication adds another layer of security to corporate devices. Stealer logs can contain session cookies, but it’s possible they would not be fresh enough to use.
  • Entrainement d'employé: Cracked software downloads, malicious ads, and phishing attacks are the common methods for infostealer malware distribution. Employees are the first layer of defense against external risks, and providing training, especially additional training for users who fail the training will holistically improve the organization’s defenses. 
  • Personal Device Policies: Employees saving corporate credentials in the browser of their personal computer are a major risk factor. Strict policies on employees accessing corporate resources from their personal devices would greatly help with avoiding infostealer malware.
  • Stealer Log Monitoring: Make sure your Continuous Threat Exposure Management plan includes monitoring for stealer logs across clear, deep, and dark web.

Monitoring for Stealer Logs with Flare

La fusée Gestion de l'exposition aux menaces (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically and constantly scans the clear & dark web and prominent threat actor communities to discover unknown events, automatically prioritize risks, and deliver actionable intelligence you can use instantly to remediate risks from stealer logs and beyond. 

Flare s'intègre à votre programme de sécurité en 30 minutes et remplace souvent plusieurs outils SaaS et open source. Apprenez-en davantage en vous inscrivant à notre essai gratuit.

Partager cet article

Rubriques connexes