56,000+ cloud-based apps at risk of malware exfiltration

The technology sector had the highest number of malware-infected employees, most exposed corporate credentials and the majority of all stolen cookies, according to SpyCloud.

Drawing on SpyCloud’s database of 400+ billion recaptured assets from the criminal underground, researchers analyzed 2.27 billion exposed dark web assets (including 423.28 million personally identifiable information (PII) assets) found in data breaches and exfiltrated from malware-infected devices tied directly to Fortune 1000 employees’ email addresses.

Malware cookie records

The asset count represents a 7% increase year-over-year and puts these organizations in jeopardy for cyber threats including account takeover, session hijacking, fraud, and ransomware from this stolen data.

Researchers uncovered 27.48 million pairs of credentials with Fortune 1000 corporate email addresses and plaintext passwords, with over 223,000 exfiltrated by malware, specifically enabling seamless access to over 56,000 cloud-based applications, including popular enterprise email, single sign-on (SSO), payroll management, hosting, and collaboration tools.

They also observed a 62% password reuse rate among Fortune 1000 employees who have been exposed more than once.

Even more alarming are the revelations in this year’s report about browser session cookies – unquestionably the most prized data exfiltrated by malware. SpyCloud recaptured 1.87 billion malware cookie records tied to Fortune 1000 employees. These cookies allow cybercriminals to infiltrate organizations by impersonating legitimate users and gain access to an active web session, which effectively can bypass security best practices like multi-factor authentication (MFA).

Session cookie exploitation

“Cybercriminals continue to evolve their tactics from capturing as much data as possible to capturing high-quality data that practically guarantees success. By leveraging session cookies, criminals can take advantage of any active platforms that utilize SSO, which essentially allows them to move freely between numerous accounts,” said Trevor Hilligoss, Director of Security Research, SpyCloud. “This is a massive exposure risk and most organizations are unaware of the threat it poses or what to do to properly prevent or remediate.”

Researchers also identified over 171,500 Fortune 1000 employees who used an infostealer malware-infected device to log into corporate resources. Infostealers are an increasingly common variety of malware that siphons all manner of data from the affected machine, including data stored in the browser – login URLs, usernames, passwords, auto-fill data, and much more.

This level of exposure is dangerous for industries across the board, as this siphoned data can continue to plague the security of user information and business systems long after a device is wiped clean.

“Employees using infected corporate or personal devices pose a risk for their organizations. As an employee, they may have access to their corporate networks and applications on those devices, and stolen data from these devices can be used to harm their employer,” said Hilligoss.

“Fortune 1000 companies cannot bet solely on traditional solutions and cybersecurity training to keep them safe. Instead, to remediate malware infections, organizations must focus on resetting passwords for affected applications and invalidating active sessions to negate opportunities for session hijacking. This post-infection remediation approach is critical to shut down entry points for future attacks,” concluded Hilligoss.

The dark web threat to businesses

Researchers additionally identified nearly 31 million malware-infected consumers of Fortune 1000 companies. Security teams continue to struggle to defend against fraud resulting from malware. Visibility into exfiltrated data from these devices places a lens on the information circulating on the dark web and how it can be used.

Criminals can utilize credentials, PII and other sensitive details to fabricate synthetic identities, and use them to perpetrate fraud that affects a business’ bottom line. Knowing what was revealed from an infected-device allows organizations to take preventative steps to better authenticate legitimate users and minimize losses.

To reduce the hazards of exposed employee and third-party identities, Fortune 1000 enterprises need a multi-layered strategy. Security teams should enforce strong password policies, mandate the use of password managers to create and store unique passwords for every account, enforce MFA, and implement a robust post-infection remediation approach to enhance their incident response.

Malware-infected employees at financial firms

The technology sector shows consistently poor cyber hygiene: The technology sector has the highest number of malware-infected employees (67,723) and consumers (13.22 million); the highest number of exposed corporate credentials (7.52 million); and the most exposed malware cookie records of all industries, with 1.51 billion.

Malware poses a significant risk to employees in the financials sector: Researchers uncovered a nearly 300% year-over-year increase in malware-infected employees tied to financial companies (15,274). The financials sector had the worst password reuse rate (68%).

C-Suite exposures put sensitive data, intellectual property and financials at risk: SpyCloud identified over 935,786 stolen assets from 87,741 exposed C-level employees.