Threat Research Advisory - When Your Company Hits the Darknet: Navigating the Surge in High-Validity Combolist-as-a-Service Threats

 Global Cyber Threat Intelligence Research Advisory -01

Disclaimer: The Global Threat Intelligence Research Advisory, published by Daily Threat Lens, is based on independent research from OSINT, COMINT, and counterintelligence reports available on the internet. This report is intended for educational and cyber threat intelligence sharing purposes only. Companies are advised to consult legal experts and comply with relevant laws and regulations in their region to ensure that any dark web monitoring activities are conducted legally and ethically. All references and report links are provided in the reference section.

Summary

From open-source platform intelligence reports and threat research reporting,we have noticed a surge in the increasing validity of combolists of stolen data by threat actors.

A combolist is a combination of leaked usernames, email addresses and passwords harvested from multiple data breaches and Cybercriminals compile lists of previously breached credentials for websites or applications.

SpyCloud's researchers discovered that certain combolists exhibit high validity rates. This increase is largely attributed to the inclusion of credentials sourced from malware logs.

To mitigate the risk posed by leaked credentials, we are recommending that organisations should monitor for exposed credentials and follow the best practices after an incident to avoid the ongoing risk of exposed credentials.

What are the threats?

A combolist is a collection of stolen or leaked databases that often includes data in both hashed and cleartext formats. This has given rise to credential stuffing, where customised and readily available scripts are used to automatically test credential combinations against web applications for verification. This maximises a threat actor's chances of gaining initial access to systems.

Malicious threat actors actively search organisational GitHub repositories and publicly accessible S3 buckets for sensitive commercial application keys using automated web scrapers. They then exploit these keys for malicious activities or trade them on the dark web.

Recent research reports indicate an increase in attack vectors associated with Infostealer malware attacks in corporate information environments. Infostealers infect computers to steal all credentials saved in browsers, active session cookies and other data. This information is then exported back to the command and control (C2) infrastructure. The combolists generated from these infostealers are of high quality because the credentials are freshly harvested from stealer logs.

Some possible cyber attacks that utilise combolists are:

·         Credential Stuffing – Attackers can use combolists to automate credential-based attack methods such as brute force, password spying, credential stuffing and account takeover. 

·         Targeted Social Engineering Attacks - Malicious actors can use combolists to target corporate domains and email addresses for vishing. They exploit publicly available info to craft convincing social engineering attack vectors to the targeted employees. 

·         Cyber Extortion Attack – Recent ransomware attacks increasingly involve multiple extortion tactics. A malicious threat actor not only encrypts data but also uses leaked credentials to demand ransom payments from organisations, even without deploying ransomware and only displaying samples from a combolist. 

What has been Observed?

SpyCloud security researchers have observed combolists with high validity rates, matching credentials sourced from infostealer malware records. Common infection methods of infostealer malware include phishing emails, malicious advertisements and pirated software.

Cyberint published research a report indicating that a growing network of hackers is using encrypted messaging applications as a hub for buying, selling, and sharing stolen data and hacking tools.                 

Actions-

·         Review Plot Twist: Combolists Are Still A Threat

·         Review The Art of Combolist Cracking and Credential Stuffing

·         If the company has been mentioned on the Dark Web:

o   Identify the origin of the mention

§  Try available approaches for accessing various Dark Web sources

§  If resources are not available assign a third party.

o   Create an attacker profile

§  Evaluate the attacker's rating, former activity, participation on other forums, and community gratitude.

o   Estimate the risk posed by the announcement

·         Identify the threat type

o   Is the risk identified as a data breach?

§  Follow the steps Cyber Threat Lens: How to Eliminate the Threat Posed by Data Breaches

o   Is the risk identified as remote access?

§  Follow the steps Cyber Threat Lens: How to Eliminate the Threat Posed by Remote Access

o   Is the risk identified as compromised account(s)?

§  Follow the steps Cyber Threat Lens: How to Eliminate the Threat Posed by Compromised Account(s)

·         Refer Best practices for event logging and threat detection

·         Refer Preventing data breaches: advice from the Australian Cyber Security Centre

MITRE Mapping 

Technique ID	Tactic	Technique	Details
T1078	Initial Access	Valid Accounts	Attackers use these lists to perform credential stuffing or brute-force attacks on accounts.
T1003       T1110.001       T1110.004       T1212	Credential Access	Credential Dumping       Brute Force: Password Guessing     Brute Force: Credential Stuffing     Exploitation for Credential Access	After gaining access, attackers may dump credentials from compromised systems.   Trying common passwords or those from combolists.     Using stolen credentials from combolists to gain access to accounts.   Exploiting vulnerabilities to gain access to credentials that can be added to combolists.
T1059	Execution	Command and Scripting Interpreter	Attackers use scripts or command-line tools to automate the use of combolists in credential-stuffing attacks
T1098	Persistence	Account Manipulation	Attackers gain access using combolists, they manipulate or create new accounts to maintain persistence within the environment.
T1074	Exfiltration	Data Staged	Attackers might stage data extracted from compromised systems using credentials found in combolists before exfiltrating it.

Reference
·         Plot Twist: Combolists Are Still A Threat
·         Telegram emerges as new dark web for cyber criminals
·         Combo Lists: The Criminal’s Key for Cyber Attacks
·         The Art of Combolist Cracking and Credential Stuffing
·         The Darknet Economy of Credential Data: Keys and Tokens
·         Zoom Accounts For Sale on the Darknet Highlight On-Going Need for Better OPSEC
·         Crooks Sell Credentials Using Combolists-as-a-Service Model
·         Report – Stealer Logs & Corporate Access
·         361 million stolen accounts exposed in Telegram combolist leak
·         Major Data Breach Exposes 2.21GB of Sensitive Information from Combolist
·         Credentials Are Still King Leaked Credentials Data Breaches And Dark Web Markets
·         Report – Dissecting the Dark Web Stealer Malware Lifecycle with the MITRE ATT&CK Framework

Words of Estimative Probability (WEPs) Certain words are used within intelligence products to convey analytical judgement regarding the probability of a development or event occurring. Our judgements are not factual statements, they reflect the best understanding of a scenario or situation at a point in time based on available information. This diagram shows the relationships between the estimative terms and how they correspond to approximate ranges of likelihood: