In the digital age, cybercrime has reached an unprecedented level, with malicious actors exploiting a variety of techniques to infiltrate corporate networks. One method has remained consistently attractive: the use of stolen credentials. In 2023 alone, there was a 266% surge in infostealer-related activity, underscoring how this malware has become a primary tool in the hacker’s arsenal. The availability of stolen credentials through cybercrime forums, Telegram “clouds of logs,” and dedicated auto shops has made corporate networks particularly vulnerable. This blog will explore the five most targeted entry points, shedding light on how attackers obtain and use stolen credentials to breach organizations.
1. The Rise of Infostealers: A Goldmine for Hackers
Information-stealing malware (infostealer) is malware designed to exfiltrate sensitive information from infected devices. This malware often targets browser-saved passwords, personal data, and corporate credentials. Many employees store their work credentials in their web browsers, making them an easy target for infostealer malware. Once these credentials are compromised, they can be sold on the dark web, giving attackers direct access to enterprise systems.
Infostealer logs, which are the records of stolen data from infected devices, are valuable assets for cybercriminals. The data extracted can include access to customer relationship management (CRM) systems, VPN sessions, remote desktop sessions, and more. These logs can be purchased cheaply, providing hackers with access to highly sensitive corporate systems.
2. How Hackers Obtain Stolen Credentials
Threat actors do not always create and manage malware campaigns themselves. Instead, they purchase stolen credentials from third-party sellers. These credentials are sold on platforms such as Russian Market, Telegram groups, and various cybercrime forums. The demand for such credentials has increased as cybercriminals realize the lucrative potential of gaining access to corporate networks. By infiltrating an organization’s VPN, Remote Desktop Protocol (RDP), or cloud services, hackers can carry out a variety of malicious activities, including lateral movement, data exfiltration, and ransomware deployment.
Table 1: Common Methods Hackers Use to Obtain Stolen Credentials
| Method | Description |
| Cybercrime Forums | Threat actors buy and sell corporate credentials on underground forums. |
| Dedicated Auto Shops | Platforms like Russian Market sell stolen credentials in bulk. |
| Telegram Groups (“Clouds of Logs”) | Logs containing stolen data are shared or sold via messaging apps. |
| Initial Access Brokers | Brokers sell direct access to corporate networks, often obtained through malware or phishing attacks. |
3. The Top 5 Targeted Entry Points for Cybercriminals
In 2023-2024, KELA analyzed thousands of cybercrime forum posts to identify the most targeted corporate access points. Based on this analysis, it became clear that threat actors are focusing on specific entry points, particularly those related to VPN and remote desktop solutions. Below are the top five entry points commonly sought by hackers:
3.1 Citrix Remote Access Solutions
Citrix products, including Citrix Workspace, Virtual Apps and Desktops, and Citrix Gateway, are prime targets for threat actors. This is due to their widespread use in providing remote access to corporate resources. Common strings identified in the logs include /citrix/, /vpn/tmindex.html, and /LogonPoint/tmindex.html.
3.2 Cisco VPN (WebVPN and AnyConnect)
Cisco’s WebVPN and AnyConnect solutions have also been heavily targeted. Logs often contain strings such as CSCOE and /+cscoe+/. As VPN solutions are critical for securing remote access, they provide hackers with a backdoor into corporate networks if compromised.
3.3 Pulse Secure VPN
Pulse Secure VPN is another commonly targeted solution. Logs containing strings such as /dana-na/ are often flagged by cybercriminals. Given that VPNs are designed to allow employees to work remotely, a compromised Pulse Secure VPN can open up a significant vulnerability.
3.4 Microsoft Remote Desktop Web Access
Microsoft’s Remote Desktop Web Access (RDWeb) solution is frequently mentioned in cybercrime forums. Strings like /rdweb/ are commonly found in infostealer logs. This type of access allows attackers to gain control over remote desktops, making it a valuable target.
3.5 GlobalProtect by Palo Alto Networks
GlobalProtect is another key VPN solution targeted by hackers. With mentions of strings like /global-protect/, GlobalProtect provides secure remote access to corporate networks. When compromised, attackers can gain access to sensitive data, deploy malware, and move laterally within the network.
Table 2: Top 5 Targeted Corporate Entry Points
| Rank | Entry Point | Strings Mentioned |
| 1 | Citrix Remote Access Solutions | /citrix/, /vpn/tmindex.html, /LogonPoint/tmindex.html |
| 2 | Cisco VPN (WebVPN and AnyConnect) | CSCOE, /+cscoe+/ |
| 3 | Pulse Secure VPN | /dana-na/ |
| 4 | Microsoft Remote Desktop Web Access | /rdweb/ |
| 5 | GlobalProtect (Palo Alto Networks) | /global-protect/ |
4. The Cybercriminal’s Shopping List
On cybercrime forums, posts by threat actors looking to buy corporate access are common. These posts often list specific URLs or “strings” they are interested in. The goal is to acquire unique logs—credentials that have not yet been sold to other attackers—at scale.
Cybercriminals often specify which countries the target organizations should be located in and express interest in specific remote access solutions. Many actors offer to buy corporate access on a recurring basis, establishing long-term collaborations with malware operators. This market allows them to continuously compromise new organizations and spread their malicious operations.
5. Real-World Example: The Change Healthcare Hack
In February 2024, Change Healthcare, a subsidiary of UnitedHealth, was targeted in a ransomware attack. Cybercriminals used stolen credentials to access the company’s Citrix portal, which lacked multi-factor authentication (MFA). Over nine days, the attackers moved laterally through the network, stealing data before deploying ransomware.
The attack highlighted the critical need for strong authentication mechanisms and regular monitoring of cybercrime platforms. According to KELA, Change Healthcare credentials had been sold on cybercrime forums prior to the attack, although it is unclear if these credentials were used in the breach.
How Corporate Credentials are Exploited
Once attackers acquire valid credentials, they gain access to a wealth of corporate resources. This access allows them to perform lateral movement within the network, deploy malware, steal data, and carry out fraud. In some cases, hackers specifically look for valuable information, such as NDA documentation, financial data, or intellectual property.
Some threat actors operate teams that specialize in exploiting compromised networks. They may also recruit skilled penetration testers to assist in these efforts. Compromised corporate credentials are often the first step in a larger, more sophisticated attack, and organizations must remain vigilant to prevent such breaches.
Recommendations for Securing Corporate Entry Points
To mitigate the risk of cyberattacks targeting VPNs and remote access solutions, companies should implement the following security measures:
- Enable Multi-Factor Authentication (MFA): MFA should be implemented across all accounts to add an extra layer of security. Even if passwords are compromised, MFA makes it more difficult for attackers to gain access.
- Regularly Update Passwords: Enforce password policies that require employees to update their passwords regularly. This reduces the risk of long-term exposure if credentials are stolen.
- Conduct Employee Awareness Training: Train employees on the risks associated with phishing and social engineering attacks. Employees should be aware of how malware, such as infostealers, can infect their systems.
- Monitor Cybercrime Platforms: Companies should monitor cybercrime forums and marketplaces for stolen credentials related to their assets. Early identification of compromised accounts can prevent further damage.
- Revoke Access for Ex-Employees: Ensure that ex-employees’ credentials are revoked immediately upon their departure to prevent unauthorized access.
FAQs
1. What are the most common entry points targeted by hackers?
The most common entry points are remote access solutions, especially Citrix, Cisco VPN, Pulse Secure VPN, Microsoft Remote Desktop Web Access, and GlobalProtect by Palo Alto Networks.
2. How do hackers obtain stolen corporate credentials?
Hackers typically buy stolen credentials from cybercrime forums, Telegram groups, and dedicated auto shops. They may also purchase credentials directly from malware operators.
3. Why are VPN solutions a prime target for cybercriminals?
VPN solutions are targeted because they provide direct access to corporate networks, allowing attackers to move laterally and exploit sensitive data.
4. What steps can organizations take to prevent credential theft?
Organizations should implement multi-factor authentication, enforce regular password updates, and conduct employee awareness training. Additionally, they should monitor cybercrime platforms for compromised accounts.
5. How was Change Healthcare compromised in the February 2024 attack?
Cybercriminals used stolen credentials to access Change Healthcare’s Citrix portal, which lacked MFA. They moved laterally through the network over nine days before deploying ransomware.
Click here, to know more about how to get your organization through the residual risk phase.
