Resecurity conducted a thorough scan of the Dark Web and identified over 1,572 compromised customers of RIPE, Asia-Pacific Network Information Centre (APNIC), the African Network Information Centre (AFRINIC), and the Latin America and Caribbean Network Information Center (LACNIC), resulting from infostealer infections. This figure also includes historical records and new artifacts identified in January 2024, following an analysis of Command and Control (C2) servers and underground marketplaces. Following a recent and highly disruptive cyberattack on telecom carrier Orange España, the cybersecurity community needs to rethink its approach to safeguarding the digital identity of staff involved in network engineering and IT infrastructure management.
Resecurity has notified victims whose credentials were compromised by infostealers like Azorult, Redline, Vidar, Lumma, and Taurus and exposed on the Dark Web. Based on the collected feedback, cybersecurity experts were able to build the following statistics:
- 45% were not aware about the identified compromised credentials and acknowledged successful password change and enabled 2FA;
- 16% were already aware about the identified compromised credentials as a result of infection by malicious code and made necessary password changes and enabled 2FA on their accounts;
- 14% were aware about the compromised credentials, but enabled 2FA only after notification (statement received);
- 20% acknowledged the need to perform deeper investigation of the incident leading to credential compromise; for example, some of the recipients acknowledged 2FA enabled, but had a lack of knowledge around how and when exactly the compromise has happened, and what credentials (to other apps and systems) could be exfiltrated by password stealer from the victim;
- 5% of recipients were not able to provide any feedback and/or aim to identify a relevant point of contact in their organization to review this issue.