T1589 – Gather Victim Identity Info (Recorded Future Detection)

by

Recorded Future Alert Details

Alert ID: RF-IDENTITY-LEAK-7842
Alert Time: 2024-02-08 08:15:33 EST
Severity: HIGH (82/100)
Source: Recorded Future Identity Intelligence Module
Rule: “Corporate Credentials Found on Dark Web”
MITRE ATT&CK: T1589 – Gather Victim Identity Information

Alert Details:

Identity Intelligence Finding:

– Source: Dark Web Market (Russian-language forum)

– Post Date: 2024-02-07 22:00 EST

– Data Type: Employee credentials (email addresses + passwords)

– Entries: 247 unique corporate email addresses

– File Name: “company_users_2024.rar”

– Seller: “darkmarket_user_7842”

– Price: 0.5 BTC (approx $22,000 USD)

Sample Entries Verified:

1. jsmith@company.com:Password123!

2. kbaker@company.com:Summer2024

3. mwilson@company.com:Welcome123

4. rjones@company.com:Q1results!

Credential Characteristics:

– 85% of passwords are weak/guessable

– 32% use company name in password

– 15 accounts have admin privileges

– 8 accounts are executives (C-level)

Threat Intelligence Context:

– Same seller previously sold credentials from similar industry targets

– Data likely obtained via phishing campaign 2-3 weeks ago

– No evidence of credentials being used yet (monitoring active)

SOC Investigation Process

StepActionTools UsedFindings
1. Alert ValidationVerify authenticity of leaked dataRecorded Future, Dark Web AccessConfirmed legitimate leak; credentials match real employees
2. Sample VerificationTest random sample of credentials against ADActive Directory, Azure AD12/20 tested accounts had matching passwords (valid)
3. Scope IdentificationIdentify all affected accountsPowerShell, AD Export247 total accounts; 15 privileged, 8 executives
4. Immediate RemediationForce password reset for all affected usersActive Directory, Azure ADAll 247 accounts reset; MFA enforced
5. Source InvestigationDetermine how credentials were obtainedPhishing Logs, Email SecurityTraced to Q1 phishing campaign targeting HR
6. User NotificationNotify affected usersServiceNow, EmailAll users notified; training assigned

Jira Incident Report

Ticket: SOC-2024-042
Summary: T1589 – Employee Credentials Leaked on Dark Web
Status: RESOLVED
Resolution: IDENTITY COMPROMISE – Remediated
Priority: P1 – HIGH
Labels: T1589, identity-theft, credential-leak, dark-web, recordered-future
Components: Identity-Management, Threat-Intelligence

INCIDENT ANALYSIS REPORT

1. Initial Context:

  • Detection Source: Recorded Future Identity Intelligence Module.
  • Alert: “Corporate Credentials Found on Dark Web”.
  • Data: 247 employee email addresses with plaintext passwords.
  • Time: 2024-02-08 08:15 EST (detected), leak posted 2024-02-07.
  • Technique: MITRE ATT&CK T1589 – Gather Victim Identity Information.

2. Technical Analysis:

  • Leak Details:
  • Source: Russian dark web marketplace.
  • File: “company_users_2024.rar” containing 247 credentials.
  • Format: Email:password (plaintext).
  • Seller: “darkmarket_user_7842” (established reputation).
  • Price: 0.5 BTC (~$22,000).
  • Credential Analysis:
  • Weak Passwords: 85% failed complexity requirements.
  • Password Reuse: 32% used company name variants.
  • Privileged Accounts: 15 had administrative access.
  • Executive Accounts: 8 C-level executives included.
  • Validation: 60% of tested credentials matched current AD passwords.
  • Source Investigation:
  • Traced to phishing campaign in January 2024 targeting HR department.
  • Campaign used fake “Open Enrollment” emails with credential harvesting links.
  • 247 employees entered credentials into phishing site.
  • No MFA at time of compromise (MFA rolled out post-incident).

3. Investigation Findings:

  • Timeline:

2024-01-15 to 2024-01-22: Phishing campaign active

2024-01-23: Credentials collected by attackers

2024-02-07: Data posted for sale on dark web

2024-02-08 08:15: Recorded Future detects and alerts

2024-02-08 08:30: SOC investigation begins

2024-02-08 09:00: All affected accounts reset

  • Indicators of Compromise (IoCs):

Identity:

– 247 employee email addresses (list attached to ticket)

– Associated passwords (all expired as of 09:00 EST)

Infrastructure:

– Phishing domain: benefits-openenrollment[.]com

– Phishing IP: 185.143.221[.]89

4. Containment Actions:

  • Immediate Remediation (08:30-09:00 EST):
  • Forced password reset for all 247 affected accounts.
  • Enabled MFA for all accounts (those without already enforced).
  • Blocked phishing domains at firewall and DNS.
  • User Notification (09:00-10:00 EST):
  • All affected users notified via email and Teams.
  • Security awareness training assigned.
  • Phishing simulation scheduled for next week.
  • Monitoring Enhancement:
  • Added leaked credentials to watchlist for any login attempts.
  • Enhanced Azure AD sign-in monitoring for suspicious activity.

5. Root Cause Analysis:

  • Primary Cause: Successful phishing campaign harvesting employee credentials.
  • Contributing Factors:
  1. Weak password policies allowed simple passwords.
  2. MFA not fully deployed at time of phishing.
  3. Users lacked awareness of benefits-themed phishing.

6. Business Impact:

  • Operational Impact: 247 users required password resets (2-3 hours productivity loss).
  • Data Exposure: Credentials publicly available; accounts at risk.
  • Reputational Impact: Potential negative publicity if leak becomes public.

7. Remediation & Prevention:

Completed Actions:

  • checkedAll affected passwords reset.
  • checkedMFA enforced for all users.
  • checkedPassword policy strengthened (minimum 12 chars, complexity).
  • checkedEnhanced phishing detection for benefits-themed emails.

8. Conclusion:

This incident involved a significant credential leak from a prior phishing campaign. Rapid detection by Recorded Future enabled us to reset affected credentials before attackers could use them for account takeover.

Closure Rationale: All credentials reset; MFA enforced; monitoring enhanced.

Analyst: [Walter White], SOC Analyst
Date: 2024-02-08 11:30 EST

Leave a Comment