Israeli-based cybersecurity firm Kela says more than 500,000 leaked credentials belonging to more than two dozen leading gaming companies were on sale on the dark web. The researchers noted that gaming firms with stolen employee credentials faced various threats, including ransomware attacks and fraud.
The researchers also noted that selling initial access tools was a booming underground business as threat actors sought more effortless ways to infiltrate corporate networks.
Contrarily, the researchers discovered that the credentials could also be obtained for free or for as little as $10. The report noted that employees remained the main entry point of corporate breaches, making cybersecurity training necessary.
Gaming sector is a lucrative and easy target for cybercriminals
Kela says COVID-19 led to increased gaming as people stuck at home sought fun and gave gaming a chance. The high adoption rates led to increased purchases of gaming products.
Kela noted that the increased spending captured cybercriminals’ attention leading to scouting for new targets. Kela found that gaming companies were “generally becoming popular among cybercriminals due to the simple fact that they are driving large sums of money.”
However, the cybersecurity firm noted that the gaming sector “may not be prioritizing their security precautions as much as their industry advancement and profit.” This puts gaming companies in a more precarious situation as more threat actors targeted the industry.
Threat actors frequently paying for initial access to gaming companies’ internal networks
The cybersecurity firm says that it observed “multiple instances of supply and demand for initial network access of gaming companies.”
Threat actors were willing to pay for “multiple types of accesses and databases.” For example, a Russian speaking threat actor wanted access to developer’s networks of Apple, Microsoft’s Xbox, Nintendo, and Qualcomm.
Kela also noted that stolen employee credentials to website management portals, admin panels, VPNs, Jira instances, FTPs, SSOs, among others, were available for sale just before attacks on leading gaming companies happened.
Purchased trojans and infostealers used to compromise employee credentials
Kela found that the supply of stolen employee credentials originated from infected computers or bots compromised with banking trojans or infostealers.
Many trojanized employee computers have access to gaming companies’ internal resources. Kela noted an increase of such bots sold in automated shops, “making it very easy for threat actors to attain access to a variety of resources.”
After monitoring the underground markets for 2.5 years, Kela found “1 million compromised accounts pertaining to gaming clients and employees.” Half of the leaked customer information and stolen employee credentials were offered for sale in 2020. Additionally, 500,000 stolen employee credentials belonged to leading gaming companies.
The criminal underground supply of stolen employee credentials allows hackers to gain access to core areas of a company’s internal networks for just a couple of dollars, according to Kela researchers.
For example, the researchers found stolen employee credentials, including SSO, Kibana, Jira, admin-connect, service-now, Slack, VPN, password-manager, and poweradmin selling for just $10, also suggesting that an administrative user was hacked.
Threat actors leveraging “human vulnerability” to compromise gaming companies
The report also revealed some gaming companies’ employees used their corporate emails and recycled passwords while signing up across multiple third-party sites. Such credentials were subsequently leaked in various breaches observed by Kela researchers.
The report authors posited that threat actors leveraged the “human vulnerability” to gain access to gaming companies.
Kela recommended educating employees on ways that the attackers could gain access to computer systems.
Gaming companies face severe risks of massive breaches from stolen employee credentials
The purchased stolen employee credentials could be accessed by attackers to execute ransomware attacks. Kela said it had detected four ransomware attacks in the past three months, with three being publicly reported. Another ransomware group Sodinokibi (REvil), also claimed to have attacked another major gaming company.
Other threats facing gaming companies from stolen employee credentials include fraud and corporate espionage, according to Kela researchers. Cybercriminals could also use the stolen employee credentials to carry out phishing campaigns to spread laterally across the gaming companies’ corporate networks.
The report authors suggested that hackers could “attempt to perform brute force and dictionary attacks, for which these databases with plain text passwords are highly useful.”
Saryu Nayyar, CEO at Gurucul says that user credential theft was a frequent occurrence on the cybersphere.
“Phishing and social engineering schemes have been targeting user accounts almost since they’ve existed, and Kela’s revelation of the scope of employee credential loss is, unfortunately, not a surprise.”
He added that companies needed to “step up their AAA (Authentication, Authorization, Accounting) game to include multi-factor authentication and add security analytics to enable risk-based authentication as well.”