Full Report
Kela researchers 330 million compromised credentials to infostealer activity on over four million machines in 2024
Analysis Summary
# Incident Report: Massive Credential Compromise via Infostealer Malware
## Executive Summary
In 2024, infostealer malware emerged as a dominant initial access vector, leading to the compromise of over 330 million unique credentials across at least 4.3 million infected machines, according to Kela's report. This massive credential theft targeted sensitive corporate services, famously contributing to high-profile incidents like the Snowflake account breaches impacting organizations such as Ticketmaster and AT&T. The overall trend for infostealer activity is increasing, though law enforcement actions against major strains offer temporary relief.
## Incident Details
- Discovery Date: 20 Feb 2025 (Date of Kela report release detailing 2024 activity)
- Incident Date: Throughout 2024
- Affected Organization: Multiple organizations (Implied, based on compromised customer data from Snowflake incidents related to previously stolen credentials)
- Sector: Diverse (Impacts cloud solutions, CMS, email, user authentication)
- Geography: Global (Based on Kela's threat landscape analysis)
## Timeline of Events
### Initial Access
- Date/Time: Throughout 2024 (Activity observed leading to report)
- Vector: Infostealer malware infections on end-user machines.
- Details: Infostealers (Lumma, StealC, RedLine dominant) executed on endpoints, capturing credentials.
### Lateral Movement
- Details: While the report focuses on credential harvesting, the compromised credentials provided access to sensitive corporate services (Cloud, CMS, Email, Authentication), implying successful lateral movement or direct authentication attacks against these services.
### Data Exfiltration/Impact
- Details: Over 330 million credentials were stolen. These credentials were used to compromise customer environments, evidenced by major downstream breaches affecting Ticketmaster and AT&T via breaches linked to stolen Snowflake credentials.
### Detection & Response
- Details: Kela discovered the scope via analysis of the threat landscape. Law enforcement successfully disrupted key components of the infostealer supply chain, notably the disruption of RedLine malware operations.
## Attack Methodology
- Initial Access: Infostealer malware execution on endpoints.
- Persistence: Not explicitly detailed, but infostealers typically establish persistence to maintain effectiveness.
- Privilege Escalation: Not detailed, but successful access to corporate systems suggests successful privilege usage post-authentication.
- Defense Evasion: Inherent in the design of malware designed to steal session data and stored credentials.
- Credential Access: Automated theft of credentials stored in browsers, configurations, and password managers by malware strains like Lumma, StealC, and RedLine.
- Discovery: Not explicitly detailed, often performed via post-access enumeration by the malware or subsequent threat actors using the stolen credentials.
- Lateral Movement: Successful authentication to various corporate services (Cloud, CMS, Email) using compromised user credentials.
- Collection: Harvesting of authentication tokens, usernames, and passwords.
- Exfiltration: Implicitly, the malware exfiltrates the collected data to the threat actor infrastructure.
- Impact: Unauthorized access to and potential theft of data from organizational systems via compromised accounts.
## Impact Assessment
- Financial: Not quantified, but inferred large costs due to major subsequent breaches (e.g., those impacting Ticketmaster/AT&T customers).
- Data Breach: Over 330 million credentials compromised. Access enabled compromise of cloud solutions, CMS, email, and authentication services.
- Operational: Disruption caused by credential misuse potentially leads to service outages or significant incident response overhead for affected parties.
- Reputational: High impact due to association with major downstream breaches (Ticketmaster, AT&T).
## Indicators of Compromise
- Network indicators: Not provided (IP addresses defanged).
- File indicators: Mention of malware strains: Lumma, StealC, RedLine.
- Behavioral indicators: Infection of endpoints leading to credential harvesting; potential observation of ULP (user list/password) files containing 3.9 billion credentials overall.
## Response Actions
- Containment: Law enforcement actions disrupted the RedLine malware infrastructure.
- Eradication: Specific organizational eradication steps are not detailed, but focus would be on mass password resets and securing cloud/CMS environments.
- Recovery: Not detailed, but recovery follows the remediation of systems exposed by compromised credentials.
## Lessons Learned
- The primary lesson is that infostealers remain one of the most significant threats for initial access, leveraging end-user compromise to bypass perimeter security.
- The dominance of the top three strains (Lumma, StealC, RedLine) presents a centralized target for disruption efforts.
- The MaaS model is expected to drive a surge in future infostealer activity.
## Recommendations
- Implement Multi-Factor Authentication (MFA) universally, especially for cloud access, email, and CMS systems, to mitigate the impact of stolen static credentials.
- Enhance endpoint detection and response (EDR) capabilities specifically tuned to detect the installation and operational behaviors of known infostealer malware (Lumma, StealC, RedLine variants).
- Increase monitoring and alerting for suspicious login locations or access patterns immediately following credential theft observations or known malware campaigns.
- Support international law enforcement efforts targeting the infostealer supply chain (developers, affiliates, marketplaces).