This document discusses how to protect organizations from credential theft. It provides an overview of the credential theft landscape and lifecycle. It explains how credential thieves gather credentials through various means like exploiting vulnerabilities, using compromised credentials from initial access brokers or ransomware-as-a-service groups, and monitoring for leaked credentials. The document recommends organizations implement account lockouts, anti-automation measures, strong password policies, and support for multi-factor authentication to help prevent credential theft. It promotes the services of Outpost24 and Blueliv to help customers assess security posture and discover threats.
17. Helping customers improve
security posture since 2001
Full stack vulnerability and
security assessment to automate
cyber hygiene
Over 2,000 customers in over 40
countries
Europe’s leading cyberthreat
intelligence provider
Search the open, deep, and dark
web to discover customer-
specific threat information for
external cyberthreats and
manage their digital risk
Request FREE credential theft assessment today!
Editor's Notes
SHERIFF AND REVIL GANG
“Sheriff” is a threat actor quite active in the cybercriminal underground.
The threat actor is an IAB who sells access to networks that they acquire using brute-forcing techniques and credential-stealing malware.
Sheriff has a prolific relation with the REvil gang, selling access to victims’ networks to the ransomware gang who then proceeds with ransomware attacks by encrypting and exfiltrating data.
Sheriff’s targets include companies from a wide range of sectors in North America, Western Europe, and Australia; yet, U.S. financial institutions are by far their most preferred and recurrent target.
DRUMRLU/3LV4N AND THANOS RaaS (Comentarios sobre que en este caso se ve muy clara la relación) Joint ventures that the anounce
“drumrlu” (aka 3lv4n) is an initial access broker and database seller active in underground forums since at least May 2020.
On July 18, 2020, Nosophoros posted on Exploit “drumrlu is a good vendor, I vouched for him before and I still do. Glad you are back”.
drumrlu also left a review in Nosophoros profile stating “Best RaaS, Best Programmer”. Another comment from the threat actor “peterveliki” supports the potential partnership between drumrlu and Nosophoros: “I bought access from this seller – everything went smoothly. A very helpful dude” . He also recommended using Thanos from Nosphorus; which turned out to be very helpful in this case. Good seller, I recommend”.
Initial Access Brokers (IABs) are financially motivated threat actors that profit through the sale of remote access to corporate networks in underground forums, like Exploit, XSS, or Raidforums.
Portals that Privilege accounts have access
VIP have access
Unsecure portals will drive likelihood compromise
1) The most common and easily launched password attack is a simple dictionary-based or brute force attack,
where an attacker tries a bunch of passwords against a common account or a username they’ve discovered somewhere.
2) great for preventing automated username enumeration techniques or password spraying attacks. Sometimes anti-automation will be in the form of a CAPTCHA that a user has to answer to login
3) at least 8 characters in length, prevent extremely common passwords using a blacklist
4) Two factor, app, sms, etc..
Reducing Authentication Attack Surface
Built a process to discover applications that could be prone to credentials theft
Use Intelligence to detect malicious activity around those applications
Employees using their emails to connect to third party applications
Users which have their credentials stolen via Botnet
This will help to prevent potential damage by malicious activity