Recorded Future Alert Details
Alert ID: RF-IDENTITY-LEAK-7842
Alert Time: 2024-02-08 08:15:33 EST
Severity: HIGH (82/100)
Source: Recorded Future Identity Intelligence Module
Rule: “Corporate Credentials Found on Dark Web”
MITRE ATT&CK: T1589 – Gather Victim Identity Information
Alert Details:
Identity Intelligence Finding:
– Source: Dark Web Market (Russian-language forum)
– Post Date: 2024-02-07 22:00 EST
– Data Type: Employee credentials (email addresses + passwords)
– Entries: 247 unique corporate email addresses
– File Name: “company_users_2024.rar”
– Seller: “darkmarket_user_7842”
– Price: 0.5 BTC (approx $22,000 USD)
Sample Entries Verified:
1. jsmith@company.com:Password123!
2. kbaker@company.com:Summer2024
3. mwilson@company.com:Welcome123
4. rjones@company.com:Q1results!
Credential Characteristics:
– 85% of passwords are weak/guessable
– 32% use company name in password
– 15 accounts have admin privileges
– 8 accounts are executives (C-level)
Threat Intelligence Context:
– Same seller previously sold credentials from similar industry targets
– Data likely obtained via phishing campaign 2-3 weeks ago
– No evidence of credentials being used yet (monitoring active)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify authenticity of leaked data
Recorded Future, Dark Web Access
Confirmed legitimate leak; credentials match real employees
2. Sample Verification
Test random sample of credentials against AD
Active Directory, Azure AD
12/20 tested accounts had matching passwords (valid)
3. Scope Identification
Identify all affected accounts
PowerShell, AD Export
247 total accounts; 15 privileged, 8 executives
4. Immediate Remediation
Force password reset for all affected users
Active Directory, Azure AD
All 247 accounts reset; MFA enforced
5. Source Investigation
Determine how credentials were obtained
Phishing Logs, Email Security
Traced to Q1 phishing campaign targeting HR
6. User Notification
Notify affected users
ServiceNow, Email
All users notified; training assigned
Jira Incident Report
Ticket: SOC-2024-042
Summary: T1589 – Employee Credentials Leaked on Dark Web
Status: RESOLVED
Resolution: IDENTITY COMPROMISE – Remediated
Priority: P1 – HIGH
Labels: T1589, identity-theft, credential-leak, dark-web, recordered-future
Components: Identity-Management, Threat-Intelligence
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Recorded Future Identity Intelligence Module.
Alert: “Corporate Credentials Found on Dark Web”.
Data: 247 employee email addresses with plaintext passwords.
Time: 2024-02-08 08:15 EST (detected), leak posted 2024-02-07.
Technique: MITRE ATT&CK T1589 – Gather Victim Identity Information.
2. Technical Analysis:
Leak Details:
Source: Russian dark web marketplace.
File: “company_users_2024.rar” containing 247 credentials.
Format: Email:password (plaintext).
Seller: “darkmarket_user_7842” (established reputation).
Price: 0.5 BTC (~$22,000).
Credential Analysis:
Weak Passwords: 85% failed complexity requirements.
Password Reuse: 32% used company name variants.
Privileged Accounts: 15 had administrative access.
Executive Accounts: 8 C-level executives included.
Validation: 60% of tested credentials matched current AD passwords.
Source Investigation:
Traced to phishing campaign in January 2024 targeting HR department.
Campaign used fake “Open Enrollment” emails with credential harvesting links.
247 employees entered credentials into phishing site.
No MFA at time of compromise (MFA rolled out post-incident).
3. Investigation Findings:
Timeline:
2024-01-15 to 2024-01-22: Phishing campaign active
2024-01-23: Credentials collected by attackers
2024-02-07: Data posted for sale on dark web
2024-02-08 08:15: Recorded Future detects and alerts
2024-02-08 08:30: SOC investigation begins
2024-02-08 09:00: All affected accounts reset
Indicators of Compromise (IoCs):
Identity:
– 247 employee email addresses (list attached to ticket)
– Associated passwords (all expired as of 09:00 EST)
Infrastructure:
– Phishing domain: benefits-openenrollment[.]com
– Phishing IP: 185.143.221[.]89
4. Containment Actions:
Immediate Remediation (08:30-09:00 EST):
Forced password reset for all 247 affected accounts.
Enabled MFA for all accounts (those without already enforced).
Blocked phishing domains at firewall and DNS.
User Notification (09:00-10:00 EST):
All affected users notified via email and Teams.
Security awareness training assigned.
Phishing simulation scheduled for next week.
Monitoring Enhancement:
Added leaked credentials to watchlist for any login attempts.
Enhanced Azure AD sign-in monitoring for suspicious activity.
5. Root Cause Analysis:
Primary Cause: Successful phishing campaign harvesting employee credentials.
Contributing Factors:
Weak password policies allowed simple passwords.
MFA not fully deployed at time of phishing.
Users lacked awareness of benefits-themed phishing.
6. Business Impact:
Operational Impact: 247 users required password resets (2-3 hours productivity loss).
Data Exposure: Credentials publicly available; accounts at risk.
Reputational Impact: Potential negative publicity if leak becomes public.
7. Remediation & Prevention:
Completed Actions:
All affected passwords reset.
MFA enforced for all users.
Password policy strengthened (minimum 12 chars, complexity).
Enhanced phishing detection for benefits-themed emails.
8. Conclusion:
This incident involved a significant credential leak from a prior phishing campaign. Rapid detection by Recorded Future enabled us to reset affected credentials before attackers could use them for account takeover.
Closure Rationale: All credentials reset; MFA enforced; monitoring enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-08 11:30 EST