Cyble Finds Thousands of Security Vendor Credentials on Dark Web

Cyble Finds Thousands of Security Vendor Credentials on Dark Web

/in

Cyble Finds Thousands of Security Vendor Credentials on Dark Web

Overview

Account credentials from some of the largest cybersecurity vendors can be found on the dark web, a result of the growing problem of infostealers, according to an analysis of Cyble threat intelligence data.

The credentials – available for as little as $10 in cybercrime marketplaces – span internal accounts and customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks.

The accounts ideally would have been protected by multifactor authentication (MFA), which would have made any attack more difficult. However, the leaked credentials underscore the importance of dark web monitoring as an early warning system for keeping such leaks from becoming much bigger cyberattacks.

Leaked Security Company Credentials

Leaked credentials have an inherent time value – the older the credentials, the more likely the password has been changed – so Cyble researchers looked only at credentials leaked since the start of the year.

Cyble looked at 13 of the largest enterprise security vendors—along with some of the bigger consumer security companies like McAfee—and found credentials from all of them on the dark web. The credentials were likely pulled from info stealer logs and then sold in bulk on cybercrime marketplaces.

Most of the credentials appear to be customer credentials that protect access to sensitive management and account interfaces, but all the security vendors Cyble examined had access to internal systems leaked on the dark web, too.

Security vendors had credentials leaked to potentially critical internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom, plus several other password managers, authentication systems, and device management platforms.

Cyble did not attempt to determine whether any of the credentials were valid, but many were for easily accessible web console interfaces, SSO logins, and other web-facing account access points.

The vendors Cyble looked at included a range of network and cloud security providers, including some of the biggest makers of SIEM systems, EDR tools, and firewalls. The vendors included:

  • CrowdStrike

  • Palo Alto Networks

  • Fortinet

  • Zscaler

  • SentinelOne

  • RSA Security

  • Exabeam

  • LogRhythm

  • Rapid7

  • Trend Micro

  • Sophos

  • McAfee

  • Qualys

  • Tenable

All have had data exposures just since the start of the year that ideally were addressed quickly, or at least required additional authentication steps for access.

Trend Micro and Sophos have large consumer security businesses, as does McAfee, which exited the enterprise business in 2021. McAfee, for example, has had more than 600 credential leaks since the start of the year, almost all for consumers’ account access, likely harvested from info stealer attacks on the consumers’ personal devices.

CrowdStrike has had more than 300 credentials exposed since the start of the year, although some of those may be duplicates offered for sale across multiple forums. Most of those appear to be customer Falcon account credentials, again likely harvested from info stealers on customer endpoints. As some of those customers are high-tech companies and others with sensitive data, including a pharmaceutical giant and a large financial firm, they have a strong interest in keeping those accounts secure.

Some internal CrowdStrike accounts also appear to have been exposed this year, but those largely appear to be web marketing accounts, data that would likely have value only for competitors.

Palo Alto Networks and some other vendors Cyble looked at may have more sensitive accounts exposed, as company email addresses are listed among the credentials for several sensitive accounts, including developer and product account interfaces and customer data. Depending on the privileges granted to those accounts, the exposure could be substantial. Palo Alto has had nearly 400 credential exposures so far this year, most of them from customer leaks.

Credential Leaks Could Aid in Hacker Reconnaissance

Even if all the exposed accounts were protected by other means, as ideally, they were, such leaks are concerning for one other reason: They can help threat actors conduct reconnaissance by giving them an idea of the systems that a potential target uses, including locations of sensitive data and potential vulnerabilities to exploit.

Other sensitive information exposed by info stealers could include URLs of management interfaces that are unknown to the public, which would give hackers further recon information.

Conclusion: Dark Web Monitoring is Critical for Everyone

Dark web monitoring is an underappreciated and cost-effective security tool for one very big reason: Credential leaks frequently come before much bigger security incidents like data breaches and ransomware attacks.

Leaked credentials for security tools and other important systems are important to monitor not only to prevent breaches but also to keep hackers from learning important information about an organization’s systems and how to access them.

If the largest security vendors can be hit by info-stokers, so can any organization. Basic cybersecurity practices like MFA, zero trust, vulnerability management, and network segmentation are important for minimizing—and ideally preventing—data breaches, ransomware, and other cyberattacks.

The post Cyble Finds Thousands of Security Vendor Credentials on Dark Web appeared first on Cyble.

Blog – Cyble – ​Read More