CISO’s Attention! Malware Are Targeting Browsers To Steal Usernames & Passwords Leading To Exposure Of Enterprise Crown Jewels

By Smith Gonsalves In MUMBAI: There have been reports and news flashes about data leaks of various organizations on the Dark Web due to the RedLineInfoStealer Malware. These reports are claiming that sensitive PII information from these organizations has been leaked in these breaches. However, the data that RedLineInfoStealler Malware has leaked is only usernames, emails and passwords, which can be classified as collateral damage, which is bound to happen, as securing the third-party vendors and consumers personal equipment’s is way difficult than securing and deploying secured infrastructure within the organization. Therefore, the attribution of responsibility to the organizations is an overhyped and eye-catching misdirection being given to the issue – also termed as “clickbait”. These reports are mischievous as they target large scale organizations for financial and business gains by making noise about their (non-existent) security lapses.

These types of stunts are commonly performed to gain visibility by bad-mouthing an organization’s brand value whereas there isn’t any major lapse like we saw in Dominos or SolarWinds (where other organizations did get impacted since there was some linkage with the SolarWind dependencies). It is just an unethical way of proclamation instead of responsible reporting and uncertainty to make a false name for oneself.  

Every year we see new trends where sophisticated malwares, packaged with different TTP (Techniques Tactics & Procedures), are used as weaponsto spam a larger cross-section of consumers, third-party vendors and enterprises. This is so, primarily because the main target of these malwares is to gain traction among the large-scale enterprises and to create noise among the black hat community about a possible data breach.

From the start of the pandemic, I have been reiterating that many hackers have lost their jobs and are totally focused on the generation of financial gains through illegal black hat activities for which, Dark Web has been a vital source for earning quick money. They use sensitive information to weaponize their target enterprises.

We are reading reports of the exploitation by a malware known as RedLineInfoStealler which uses CVE-2022-1096 and is uploading the data for sale on 2easy Dark Web Market Place. Allegedly there are about half a million credentials exposed on the Dark Web having vital user information belonging to various organisations. The data uploaded by malware consists of browser activity logs where chances of getting username, credentials and system information is very likely. This is not like the conventional theft of enterprise sensitive employee or user governing data where there is a specific breach that results in the exfiltration of PII or User processed data.

Since this Malware & Dark Web Forum has been active for about 2 years, the spamming has affected various targets and harvested a large number of usernames, emails, credentials and website links of enterprises.

Due to this nature of the attack it cannot be called as a breach from the corporate entity and should be termed as atheft of identities from individuals who have stored their passwords in their browsers merely for ease of access. This situation is just like HaveIBeenPwned updating whether your mail was part of a breach or not. Also, from the enterprise end this can be considered as collateral damage done to leverage the chances of exfiltration and penetration within the Internal Infrastructure, which is throttled through continuous monitoring and detection mechanisms that various high tech organisation relay on.    

With these browser stealer-based malwares on the rise, a wide range of users belonging to the consumer and third-party vendors have been targeted. This can be classified in one of the most debated concern areas that bothers CISO and that is Shadow IT. The bigger problem here is that it is possible to secure an organisation’s infrastructure but it’s hard to control the security of third-party vendors who don’t operate in the organisation’s infrastructure.

The dependability on these third-party users is a business factor which comes with financial implications and it is important that their security should be reviewed. The reason is that it is affecting the organisation’s internal security and thus it is critical that the third party is equally prioritised and analysed for blind spots which can lead to internal security collapse.

Talking about other-end of the consumer security it has moreover being uncontrollable because of the technical factors such as security towards systems owned by users, the antivirus, the admin authentication, the liberty to browse pirated context and malicious context being used as fuel to inject malwares in this case RedLineInfoSteallerhas targeted the consumers and third-party vendors. This malware targets the majority of browsers like Chrome & Edge, the delivery of this malware is done through compilation of the malware with other applications and at times it is also delivered through malicious macros attached on excel files. This malware infects the browsers to steal cookies and files sqlite database of browsers which includes stored passwords, usernames, emails &URLs.  

The overall security that enterprise can take to secure these consumers is to enforce security controls on the servers or the product functionality Eg- Multi Factor Authentication, Access Control, Blocking of Redirection, Error Handling, Unknown Login Detection, safety of data generated and processed at the enterprise’s end and moving towards PasswordLess using zero trust approach. 

From the end consumer side, it is vital for them to segregate and use secured isolated VM’s to connect and browse client-side information which they want to access, along with having minimum Anti-Virus solution and taking cognizance that any malicious activity detected the user should report to the client or wait until forcefully execution of the same. As it can have an adverse effects in enabling malware to operate.    

Having said that, enterprises have also started maturing their Infrastructure through investment in cyber security into people process and technology, the enterprises have been quite ambitious in terms of privacy and security of their products and internal operation of their organisation. Even various Dark Web Monitoring solutions have been procured by organisations to ensure that they are alerted of every single activity targeting their infrastructure on Social Media, Dark Web & Digital Web. In this context, I am particularly referring to large scale enterprises and organisation who are in the Fortune 500 as they have their financials strong enough to invest in Cyber Security which is not common with medium and small scale enterprises.

Writer – Smith Gonsalves (Cyber Evangelist & Information Security Professional)