Stolen Credentials From Leading Cyber Security Vendors Selling For $10: Cyber Security Today, Friday, Jan 24, 2025 - Cybersecurity Today

Summary4 min read

Cybersecurity Today: Stolen Credentials from Leading Vendors Selling for $10

Episode Release Date: January 24, 2025
Host: Jim Love

Introduction

In this episode of Cybersecurity Today, host Jim Love delves into a series of alarming cybersecurity incidents affecting various sectors, including cybersecurity vendors, education technology providers, and the U.S. energy sector. The discussions highlight the severity of stolen credentials, configuration leaks, and the escalating threats faced by critical infrastructure.

1. Stolen Credentials from Leading Cybersecurity Vendors

Timestamp: [00:00]

Jim Love opens the episode by addressing a significant security concern: thousands of credentials from prominent cybersecurity vendors have been discovered for sale on the Dark Web marketplaces. According to security researchers at Sibel, these credentials encompass passwords for internal systems, customer accounts, and cloud-based environments, posing substantial risks to both the vendors and their clients.

Key Points:
- Affected Systems: The stolen credentials grant access to management and developer systems from platforms like Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, Zoom, and various password managers.
- Market Value: Some accounts are available for as little as $10, indicating a high volume of compromised data being circulated.
- Potential Threats: While multi-factor authentication (MFA) is in place, the possession of privileged access details by attackers can undermine these protections. The leaked credentials are often precursors to more severe incidents, such as ransomware attacks.
Notable Quote:
"These leaked credentials often serve as precursors to larger incidents such as ransomware attacks."
— Jim Love [02:15]
Recommendations: Organizations are urged to immediately secure their systems, review access permissions, and reinforce defenses against Infostealer malware. A link to Sibel's detailed report is available in the show notes for further information.

2. Fortigate Firewall Configuration Files Leak

Timestamp: [04:30]

Jim transitions to discuss a recent breach involving nearly 5,000 organizations compromised due to the leak of Fortigate firewall configuration files. This incident, executed by the Belson Group exploiting the zero-day vulnerability CVE-2022-4684, exposed sensitive network setup details.

Key Points:
- Nature of the Leak: The exposed router configuration files contained firewall rules, VPN configurations, and email addresses, providing attackers with intricate knowledge of network structures.
- Risks: Such detailed information facilitates reconnaissance, lateral movement within networks, and the execution of devastating attacks like ransomware.
- Response: Fortinet advises affected organizations to update credentials, secure systems, and monitor for signs of exploitation.
Notable Quote:
"This type of leak is particularly dangerous as it provides attackers with insights into how networks are structured."
— Jim Love [05:45]
Implications: The breach underscores the necessity for organizations to protect configuration files rigorously and ensure prompt patching of vulnerabilities in network devices.

3. PowerSchool Data Breach in the Education Sector

Timestamp: [09:20]

The conversation shifts to a major breach at PowerSchool, an education technology provider, which has exposed sensitive data of millions across North America.

Key Points:
- Data Compromised: Includes names, addresses, Social Security numbers, medical records, and academic grades.
- Breach Vector: Access was gained through PowerSchool's support portal via compromised credentials, not through vulnerabilities in school district systems.
- Response: PowerSchool is offering two years of free credit monitoring to affected individuals and has engaged cybersecurity experts to bolster their defenses.
Notable Quote:
"Families and educators face the potential consequences of identity theft and fraud."
— Jim Love [10:50]
Legal and Reputational Impact: Multiple lawsuits alleging negligence in data protection have been filed against PowerSchool, demanding damages and stricter cybersecurity practices. This incident highlights the critical need for robust security measures in education technology to protect increasingly sensitive personal and educational data.

4. Rising Threats in the U.S. Energy and Utilities Sector

Timestamp: [14:10]

Jim addresses the growing cybersecurity threats targeting the U.S. energy and utilities sector, emphasizing the surge in ransomware attacks and the vulnerabilities inherent in aging infrastructure.

Key Points:
- Ransomware Surge: An 80% year-over-year increase in ransomware attacks, with nearly half targeting the U.S. energy sector. The Hunters International Group accounts for 19% of the incidents in late 2024.
- Common Attack Vectors: Phishing remains predominant, used in 84% of breaches for initial access. Attackers also exploit Remote Desktop Protocol (RDP) vulnerabilities and employ brute force techniques to access credentials.
- Infrastructure Vulnerabilities: Much of the U.S. electrical grid is over 40 years old, and many operational technology systems lack modern protections or proper segmentation, making them ripe for exploitation.
Notable Quote:
"The vulnerability of our infrastructure is now a problem of critical proportion."
— Jim Love [16:30]
Consequences: Beyond financial losses averaging $5.29 million per breach, attacks can disrupt essential services like power, transportation, and healthcare, amplifying the damage's impact.
Recommendations: Immediate investments in modernizing legacy systems, comprehensive employee training to recognize phishing attempts, and the implementation of specialized cybersecurity measures tailored for the energy sector are crucial.
Additional Content: Jim mentions an upcoming rerun featuring an ethical hacker demonstrating vulnerabilities in a city's infrastructure, underscoring that despite ongoing awareness, many issues remain unresolved.

Conclusion

Jim Love wraps up the episode by reiterating the critical nature of the discussed cybersecurity threats and the imperative for organizations across various sectors to enhance their security posture proactively. He invites listeners to engage with him through tips, comments, and constructive criticism via @EditorialEchnewsDay CA.

For more detailed reports and resources mentioned in this episode, refer to the show notes provided.

Stay informed and secure in an increasingly risky digital landscape with Cybersecurity Today.

Loading summary

Transcript1 lines

[00:00]
Jim Love
Foreign stolen credentials, configuration leaks, education breaches and energy sector risks. This is Cybersecurity Today. I'm your host Jim Love. Thousands of credentials from leading cybersecurity vendors have been found for sale on the Dark Web in marketplaces, according to security researchers at Sibel. Sibyl didn't name the affected vendors due to security implications, but the data included passwords for internal systems, customer accounts and cloud based environments, putting both the vendors and their clients at risk. Sibyl's report notes that many of the stolen credentials were tied to recent breaches, making the threat particularly urgent. Some of these credentials allow access to management and developer systems, which attackers can use to locate sensitive data and exploit vulnerabilities. These included systems like Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle and Zoom, plus several other password managers, authentication systems and device management platforms. Some of these accounts could be bought for as little as $10. We hope that in most cases these are protected by multi factor authentication, but that may not provide sufficient protection if attackers already possess privileged access details. The researchers warned that these leaked credentials often serve as precursors to larger incidents such as ransomware attacks. Organizations are urged to take immediate steps to secure their systems, review access permissions and strengthen their defenses against Infosteeler malware. There's a link to Sibel's blog in our show notes nearly 5,000 organizations have been impacted by a recent leak of Fortigate firewall configuration files. We've covered this story earlier. The files were posted online by the Belson Group, a cybercriminal organization, after exploiting a zero day vulnerability CVE2022 4684 in 2022 now. The files were router configuration files, which contained detailed information about network setups, including firewall rules, VPN configurations, and even email addresses. This type of leak is particularly dangerous as it provides attackers with insights into how networks are structured, enabling reconnaissance, lateral movement and potentially devastating attacks with things like ransomware. While not all leaked files include email data, researcher Kevin Beaumont used what was there to compile a list of affected addresses to help organizations identify their exposure. Fortinet has urged affected organizations to update credentials, secure their systems and monitor for signs of exploitation. The incident underscores the critical need for organizations to safeguard configuration files and and ensure vulnerabilities in network devices are patched promptly. A major breach at education technology provider PowerSchool has exposed sensitive data for millions of students, parents and teachers across North America. We covered the story last week. The compromised Data, which included names, addresses, Social Security numbers, medical records, and academic grades, was accessed through PowerSchool's power source support portal. The breach was discovered in 2024, but it was not caused by vulnerabilities in school districts, but rather by compromised credentials within PowerSchool systems. In response, PowerSchool is offering affected individuals two years of free credit monitoring and engaged cybersecurity experts to strengthen their defenses. However, frustration remains high as families and educators face the potential consequences of identity theft and fraud. Multiple lawsuits have been filed alleging negligence by PowerSchool in protecting this sensitive data. These lawsuits are demanding damages and stricter cybersecurity practices. The breach highlights the growing need for education technology providers to implement robust security measures as their platforms increasingly hold critical personal and educational Data. And the U.S. energy and utilities sector is facing a growing threat. As just one example, ransomware attacks increased by 80% year over year. According to a report from Trustwave Spider Labs, nearly half of all ransomware attacks in the sector occurred in the US with the Hunters International Group responsible for 19% of incidents in late 2024. Phishing remains the most common attack vector used in 84% of breaches to gain initial access. Once inside, attackers frequently employ brute force techniques to access credentials and use Remote desktop protocol vulnerabilities for lateral movement. Within these networks, the aging infrastructure compounds the risks and increases these vulnerabilities. In the US much of the electrical grid is over 40 years old, and many operational technology systems lack modern protections or even proper segmentation. And classical prevention, such as updating or patching these systems, is challenging due to the need for continuous operation, again leaving vulnerabilities open for exploitation. The consequences of these attacks go beyond financial losses, which average about 5.29 million per breach. But disruptions to power, transportation, healthcare, and other civic services can exponentially multiply the damage and the impact. The report calls for immediate investments in modernizing legacy systems, training employees to identify phishing attacks, and implementing ot specific cybersecurity measures to protect this essential sector. There's a link to the report in the show notes the vulnerability of our infrastructure is now a problem of critical proportion. We are studied and even attacked by nation states and by cybercriminals. And while the report gives statistics, we'll be rerunning a show this weekend where an ethical hacker will walk you through a city's infrastructure. And while the show is almost a year old, the issues unfortunately have not changed substantially. Check it out on Saturday morning. And that's our show for today. You can reach me with tips, comments, and even occasionally with some constructive criticism. @EditorialEchnewsDay CA I'm your host, Jim Love. Thanks for listening.