Full Report
Cyble has found thousands of security vendors' credentials on the dark web, likely pulled from infostealer logs
Analysis Summary
# Threat Actor: Unattributed Cybercrime Group/Malware Operators
## Attribution & Identity
The specific threat actor responsible for the credential theft is **not identified or attributed** in the context provided. The data leak appears to be the result of **infostealer logs** aggregated and sold by **unattributed cybercrime marketplaces**.
## Activity Summary
Researchers from Cyble discovered thousands of leaked account credentials belonging to at least 14 major cybersecurity vendors on the dark web, starting from January 2025. These credentials, which include internal, customer, SSO, and cloud access, were likely obtained via infostealer malware and subsequently sold in bulk for low prices (as little as $10). Exposed vendors include CrowdStrike, McAfee, Palo Alto Networks, and others.
## Tactics, Techniques & Procedures
- **Initial Access/Collection:** Harvesting credentials via **infostealer logs**.
- **Distribution/Sale:** Selling compromised credentials in bulk on **cybercrime marketplaces**.
- **Potential System Compromise:** The victims' systems likely included vulnerable:
- Password managers
- Authentication systems (e.g., Okta)
- Device management platforms
- Cloud environments (e.g., AWS, Microsoft Online)
- Web consoles and SSO logins.
- *Note: Specific MITRE ATT&CK IDs were not mentioned in the source.*
## Targeting
- Sectors: **Cybersecurity Vendors** (A specific target sector, but the ultimate target may be the customers of these vendors).
- Geography: **Not specified**, but context implies a global reach due to the vendors involved.
- Victims: Credential leaks tracked for major security providers, including (but not limited to): CrowdStrike, Exabeam, Fortinet, LogRhythm, McAfee, Palo Alto Networks, Qualys, Rapid7, RSA Security, SentinelOne, Sophos, Tenable, Trend Micro, and Zscaler.
## Tools & Infrastructure
- Malware families used: **Infostealer malware** (method inferred from the source of the logs).
- Infrastructure (C2, domains, IPs): No specific C2 domains or IPs are mentioned. The data was sold on **dark web cybercrime marketplaces**.
## Implications
This incident highlights a critical vulnerability within the security industry itself, demonstrating that even highly security-conscious organizations are susceptible to commodity threats like infostealers. The large volume of compromised credentials for major security platforms poses a systemic risk, as successful exploitation could provide deep access into vendors' networks or their customers' environments, potentially leading to large-scale supply chain attacks if these credentials are valid and active.
## Mitigations
- **Dark Web Monitoring:** Continuously monitor dark web platforms for organizational credentials and proprietary data leaks as an early warning system.
- **Enforce MFA:** Ensure Multi-Factor Authentication (MFA) is enforced across all exposed systems, especially on web consoles, SSO logins, and cloud access points, to limit the effectiveness of stolen static credentials.
- **Review Authentication Systems:** Investigate the security posture of identity platforms (like Okta) and internal password management systems, as these appear to be high-value targets compromised by stealers.
- **Assume Compromise:** Organizations must operate under the assumption that internal assets (including endpoints running infostealers) are compromised, necessitating credential rotation and rigorous session monitoring.