Malware-as-a-service infostealers: For example, RedLine Stealer is specifically designed to target and steal sensitive information, including credentials stored in web browsers and other applications. It is often distributed through phishing emails or by tricking prospective marks into visiting booby-trapped websites laced with malicious downloaders.Another threat comes from Lumma stealer, offered for sale as a malware-as-a-service, and used by criminals to targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system.Substantial increases in infostealer malware use was also reported in 2022, but Dr. Suleyman Ozarslan, Picus Security co-founder and VP of Picus Labs, told CSO that this recent three-fold increase in malware targeting password stores represents a significant shift in adversarial focus and tactics.Newer operating systems have implemented robust defenses against traditional credential dumping techniques, such as those targeting LSASS (Local Security Authority Subsystem Service) memory and Security Account Manager, forcing cybercriminals to switch up their tactics.”As operating systems implement stronger defenses against traditional credential dumping techniques, attackers are adapting their tactics to focus on less-protected targets like password stores,” Dr. Ozarslan said.Password store attacks typically require fewer specialized privileges; often, the malware just needs user-level access to scrape or export data.Password reuse across multiple accounts, including password managers, allows attackers to leverage credentials stolen from one breach to attempt access to other services through so-called credential stuffing attacks.
Cybercriminals feast on credential theft: Stolen credentials from password stores often include not just domain logins, but also credentials for financial, administrative, and strategic cloud services.Chris Morgan, senior cyber threat intelligence analyst at threat intel firm ReliaQuest, said that credential theft remains one of the most common methods used by threat actors, largely because it continues to work.”Endemic security failings across most sectors persist, leaving the door wide open for exploitation,” Morgan said.ReliaQuest collections reveal a greater than 50% increase in infostealer logs, containing harvested credential pairs, posted on the dark web in 2024 compared to 2023. During the same period, initial access listings on cybercriminal platforms surged by 142%.This surge in available credentials has empowered initial access brokers (IABs) to deliver quick, low-effort access to privileged systems at scale.Among the 2024 incidents analyzed by ReliaQuest, 50% involved the use of valid or exposed credentials for initial access.”The consequences are staggering: 66% of customer ransomware incidents in 2024 stemmed from initial access likely purchased from an IAB, underscoring how stolen credentials are paving the way for ransomware attacks,” Morgan said. “While not all of these incidents are related to the targeting of credential stores, these findings highlight the growing role of infostealing malware in facilitating cybercrime, cementing its place as a key enabler of large-scale attacks.”Matt Berzinski, senior director at Ping Identity, told CSO that credential store attacks are surging because they offer threat actors a massive return on investment.”For threat actors, gaining access to a password manager is like hitting the jackpot,” Berzinski said. “Picus Security’s findings reflect a broader trend: Attackers increasingly target browser-stored logins and stolen credentials from the dark web, then reuse those passwords across multiple sites to gain access.”Berzinski added: “Once they’re in a credential store, they can move laterally to gain more intelligence, a hacker’s playground.”
Attack automation allowing attackers to hack at scale: Attacks against credential stories are rising partly because these attacks have become easier and more automated, with widely available tools enabling cybercriminals to extract and exploit credentials at scale. In addition, “many businesses still rely on passwords as their primary defense, despite the known security risks, due to challenges around MFA [multi-factor authentication] adoption and user friction,” Berzinski said.David Sancho, senior threat researcher at anti-malware vendor Trend Micro, told CSO that the increase in malware targeting credential stores is unsurprising.”We are definitely seeing a rise in malware targeting credential stores, but this is hardly a surprise to anybody,” Sancho said. “Credential stores are where credentials are located, specifically on the browser. Every time you let the browser ‘memorize’ a user/password pair, it gets stored somewhere. Those locations are certainly the prime targets, and have been for a long time, for infostealers.”Darren Guccione, CEO and co-founder of password manager vendor Keeper Security, acknowledged that cybercriminals were targeting credential stores but argued that some applications were better protected than others.”Not all password managers are created equal, and that distinction is critical as cybercriminals increasingly target a broad range of cybersecurity solutions, including credential stores,” Guccione said. “Some password managers offer airtight protection with zero-trust architecture and encryption that even the provider cannot access, while others leave sensitive data more vulnerable to malware and breaches.”
Best practice advice: Enterprise security managers should look to deploy more secure password manager technologies that offer zero-knowledge encryption, ensuring only the end user can access stored credentials. Users should seek products with full end-to-end encryption, with encryption and decryption of data always occurring locally on the user’s device.Organizations should also implement privileged access management (PAM) to enforce least-privilege access and monitor privileged accounts in real-time.”Even the most secure password manager requires user diligence to ensure it is properly protected, the use of a strong, unique master password and multi-factor authentication (MFA) are essential,” Guccione said. “Features like device verification further protect against password-stuffing attacks.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3825453/password-managers-under-increasing-threat-as-infostealers-triple-and-adapt.html
