Recorded Future Alert Details
Alert ID: RF-IDENTITY-LEAK-7842
Alert Time: 2024-02-08 08:15:33 EST
Severity: HIGH (82/100)
Source: Recorded Future Identity Intelligence Module
Rule: “Corporate Credentials Found on Dark Web”
MITRE ATT&CK: T1589 – Gather Victim Identity Information
Alert Details:
Identity Intelligence Finding:
– Source: Dark Web Market (Russian-language forum)
– Post Date: 2024-02-07 22:00 EST
– Data Type: Employee credentials (email addresses + passwords)
– Entries: 247 unique corporate email addresses
– File Name: “company_users_2024.rar”
– Seller: “darkmarket_user_7842”
– Price: 0.5 BTC (approx $22,000 USD)
Sample Entries Verified:
1. jsmith@company.com:Password123!
2. kbaker@company.com:Summer2024
3. mwilson@company.com:Welcome123
4. rjones@company.com:Q1results!
Credential Characteristics:
– 85% of passwords are weak/guessable
– 32% use company name in password
– 15 accounts have admin privileges
– 8 accounts are executives (C-level)
Threat Intelligence Context:
– Same seller previously sold credentials from similar industry targets
– Data likely obtained via phishing campaign 2-3 weeks ago
– No evidence of credentials being used yet (monitoring active)
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify authenticity of leaked data | Recorded Future, Dark Web Access | Confirmed legitimate leak; credentials match real employees |
| 2. Sample Verification | Test random sample of credentials against AD | Active Directory, Azure AD | 12/20 tested accounts had matching passwords (valid) |
| 3. Scope Identification | Identify all affected accounts | PowerShell, AD Export | 247 total accounts; 15 privileged, 8 executives |
| 4. Immediate Remediation | Force password reset for all affected users | Active Directory, Azure AD | All 247 accounts reset; MFA enforced |
| 5. Source Investigation | Determine how credentials were obtained | Phishing Logs, Email Security | Traced to Q1 phishing campaign targeting HR |
| 6. User Notification | Notify affected users | ServiceNow, Email | All users notified; training assigned |
Jira Incident Report
Ticket: SOC-2024-042
Summary: T1589 – Employee Credentials Leaked on Dark Web
Status: RESOLVED
Resolution: IDENTITY COMPROMISE – Remediated
Priority: P1 – HIGH
Labels: T1589, identity-theft, credential-leak, dark-web, recordered-future
Components: Identity-Management, Threat-Intelligence
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Recorded Future Identity Intelligence Module.
- Alert: “Corporate Credentials Found on Dark Web”.
- Data: 247 employee email addresses with plaintext passwords.
- Time: 2024-02-08 08:15 EST (detected), leak posted 2024-02-07.
- Technique: MITRE ATT&CK T1589 – Gather Victim Identity Information.
2. Technical Analysis:
- Leak Details:
- Source: Russian dark web marketplace.
- File: “company_users_2024.rar” containing 247 credentials.
- Format: Email:password (plaintext).
- Seller: “darkmarket_user_7842” (established reputation).
- Price: 0.5 BTC (~$22,000).
- Credential Analysis:
- Weak Passwords: 85% failed complexity requirements.
- Password Reuse: 32% used company name variants.
- Privileged Accounts: 15 had administrative access.
- Executive Accounts: 8 C-level executives included.
- Validation: 60% of tested credentials matched current AD passwords.
- Source Investigation:
- Traced to phishing campaign in January 2024 targeting HR department.
- Campaign used fake “Open Enrollment” emails with credential harvesting links.
- 247 employees entered credentials into phishing site.
- No MFA at time of compromise (MFA rolled out post-incident).
3. Investigation Findings:
- Timeline:
2024-01-15 to 2024-01-22: Phishing campaign active
2024-01-23: Credentials collected by attackers
2024-02-07: Data posted for sale on dark web
2024-02-08 08:15: Recorded Future detects and alerts
2024-02-08 08:30: SOC investigation begins
2024-02-08 09:00: All affected accounts reset
- Indicators of Compromise (IoCs):
Identity:
– 247 employee email addresses (list attached to ticket)
– Associated passwords (all expired as of 09:00 EST)
Infrastructure:
– Phishing domain: benefits-openenrollment[.]com
– Phishing IP: 185.143.221[.]89
4. Containment Actions:
- Immediate Remediation (08:30-09:00 EST):
- Forced password reset for all 247 affected accounts.
- Enabled MFA for all accounts (those without already enforced).
- Blocked phishing domains at firewall and DNS.
- User Notification (09:00-10:00 EST):
- All affected users notified via email and Teams.
- Security awareness training assigned.
- Phishing simulation scheduled for next week.
- Monitoring Enhancement:
- Added leaked credentials to watchlist for any login attempts.
- Enhanced Azure AD sign-in monitoring for suspicious activity.
5. Root Cause Analysis:
- Primary Cause: Successful phishing campaign harvesting employee credentials.
- Contributing Factors:
- Weak password policies allowed simple passwords.
- MFA not fully deployed at time of phishing.
- Users lacked awareness of benefits-themed phishing.
6. Business Impact:
- Operational Impact: 247 users required password resets (2-3 hours productivity loss).
- Data Exposure: Credentials publicly available; accounts at risk.
- Reputational Impact: Potential negative publicity if leak becomes public.
7. Remediation & Prevention:
Completed Actions:
All affected passwords reset.
MFA enforced for all users.
Password policy strengthened (minimum 12 chars, complexity).
Enhanced phishing detection for benefits-themed emails.
8. Conclusion:
This incident involved a significant credential leak from a prior phishing campaign. Rapid detection by Recorded Future enabled us to reset affected credentials before attackers could use them for account takeover.
Closure Rationale: All credentials reset; MFA enforced; monitoring enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-08 11:30 EST