Constella Intelligence

Main Menu

Managing Risks: Executive Protection in the Digital Age

Jason Wagner on December 18, 2024

The recent incident involving the United Healthcare CEO has sparked critical conversations in corporate boardrooms about the evolving threat landscape and the importance of robust security measures centered around executive protection. The incident has illuminated a stark and unsettling reality: the threat landscape for senior executives is evolving in ways that demand immediate attention and action. As companies scramble to reassess their security measures, it is imperative to consider the physical and digital vulnerabilities that executives face.

A Holistic Approach to Executive Protection

Executives today operate in an interconnected world where the lines between their professional and personal lives are increasingly blurred. The NYPD’s intelligence report labeling Thompson’s killing as a “symbolic takedown” underscores how online rhetoric can translate into real-world violence. While essential for corporate visibility, social media platforms also present a proactive opportunity for companies to enhance their digital security posture by identifying and mitigating the intelligence adversaries might use to target potential vulnerabilities. Personal addresses, travel schedules, and family details are often just a few clicks away for malicious actors.

This convergence of physical and digital threats highlights the need for a holistic approach to executive protection. Security measures can no longer be confined to physical guards or alarm systems. They must also encompass robust digital strategies, including minimizing digital footprints and proactive online threat monitoring.

A Watershed Moment for Corporate Security

The aftermath of this incident has seen a surge in demand for executive protection services, highlighting the importance of shifting focus from reactionary measures to sustainable and proactive strategies that address immediate and long-term security needs. Security firms have reported unprecedented inquiries, with corporations seeking guidance on everything from enhanced mail screening to deploying residential security teams. However, the challenge lies in reacting to immediate threats and creating a sustainable, long-term security framework.

For companies of all sizes, this “watershed moment” calls for a reassessment of how security budgets are allocated. Historically viewed as a non-revenue-generating expense, security investments must now be recognized as essential to safeguarding not just individuals but also the reputation and continuity of the business itself. Proactive investment in security can also demonstrate corporate responsibility and leadership, reinforcing trust among stakeholders and the broader community. The reputational damage and operational disruption resulting from a high-profile attack can far outweigh the upfront costs of comprehensive security measures.

In the recent report “Safeguarding Executives from Attack Using TAG’s Triangle of Protection Model,” Dr. Edward Amoroso, CEO of TAG Cyber, discusses how executive/VIP protection has three pillars — Physical, Virtual and Threat.  Further, he goes on to address how integrating the triangle of protection is crucial to moving forward. 

According to this report:

“The three points of the TAG Triangle of Protection — physical protection, virtual protection, and threat reduction — are interdependent and must function cohesively to ensure executive safety. Physical security safeguards the executive from immediate harm, virtual protection shields against cyber and reputational threats, and threat reduction addresses the underlying causes of hostility, but they should all be working together.

For example, early indications from the recent situation involving the CEO of UnitedHealthcare suggest that the attacker employed social engineering methods to obtain information about the logistics of the target. While it is perhaps improper to speculate on how the murder might have been avoided, one must concede that social engineering training can be viewed as interconnected with executive physical protection.”

Moving Forward

To navigate this new paradigm, corporations must adopt a layered approach to security, including taking a hard look at virtual and threat reduction, which we explore in more detail below:

  1. Digital Hygiene: Encourage executives to minimize their online presence by removing personal information, such as home addresses and details about family members. This also includes reviewing social media activity to limit exposure.
  2. Proactive Threat Monitoring: Leverage advanced threat intelligence tools to identify and mitigate risks before they materialize. This includes monitoring the dark web for leaked information and analyzing online chatter for potential threats.
  3. Integrated Digital and Physical Security Protocols: These protocols combine physical security measures, such as guards and secure transport, with cybersecurity defenses to address both physical and digital vulnerabilities.
  4. Crisis Preparedness: Conduct regular training and drills to prepare executives and their families for various scenarios, including attempted breaches or threats during public appearances.
  5. Inclusive Security Strategies: Extend protection beyond the CEO to include other senior leaders and board members, recognizing that attackers may target less apparent individuals.

Responding Faster to Threats with a Proactive Approach

Organizations must also adopt cutting-edge solutions to address the evolving threat landscape. Constella Hunter+ is a digital risk protection platform that safeguards executives and VIPs against external digital threats. By continuously monitoring their digital footprints across the surface, deep, and dark web, as well as social media, Constella Hunter+ accelerates the ability to respond to threats targeting executives and their families.

Key Features:

  • Continuous Monitoring: Automatically scans for external threats across 53 languages and 125 countries, finding risks such as compromised credentials, exposed identities, and impersonations.
  • Proactive Alerts: This service delivers real-time notifications for risks like network breaches, account takeovers, and exposed identities.
  • Comprehensive Awareness: Offers a single-pane-of-glass view of risks across social media, deep and dark web forums, exposed identity data through breaches, data brokers, and surface web assets. 
  • Customizable Threat Models: These enable tailored alerts that align with internal policies and industry-specific requirements.
  • Operationalized Protection: Integrates with provisioning systems and response workflows, speeding up threat mitigation and enhancing SOC efficiency.

A Call to Action

With its unmatched visibility into external digital footprints and the industry’s most extensive collection of curated identity records, Constella Hunter+ empowers organizations to:

  • Mitigate risks effectively before damage occurs.
  • Enhance the effectiveness of security teams through automated monitoring.

Protect executives and their families from both cyber and physical threats.

It is hypercritical that organizations shift the paradigm around the protection of their most valuable assets.  Understanding your executive’s digital footprint and understanding cyber threats is critical before they become a physical threat. Organizations must begin to adopt a proactive and forward-thinking approach to addressing emerging threats against their executives. Boards and leadership teams must prioritize security as a core component of their governance responsibilities, including appropriating adequate resources (budgets) and fostering a culture of vigilance and preparedness, not just reactionary! Ensuring leaders’ safety and strengthening resilience in the face of emerging threats should remain a key priority and a critical layer in an organization’s overall security strategy.

The Evolving Threat of Cookie Session Hijacking: How Infostealers Enable Advanced Cyberattacks

Alberto Casares on December 9, 2024

Cyberattacks are becoming increasingly sophisticated, with cookie session hijacking emerging as a significant threat. This technique allows attackers to bypass even advanced security measures like multi-factor authentication (MFA), enabling unauthorized access to critical systems and user accounts. Infostealers, a category of malware designed to harvest sensitive information, have become a primary tool for conducting these attacks. This blog explores how infostealers facilitate cookie session hijacking, its implications for organizations, and how businesses can defend against this evolving threat

How Cookie Session Hijacking Works

Cookie session hijacking is a process in which attackers steal and reuse session cookies to impersonate authenticated users. Here’s how the attack typically unfolds:

  1. Initial Infection:
    1. Attackers use infostealers, phishing emails, or other malicious techniques to compromise a user’s device.
    1. Infostealers like RedLine, Racoon, Vidar, Meta, and Lumma are commonly deployed to harvest session cookies from compromised devices.
  2. Cookie Extraction:
    1. Once the device is infected, the infostealer accesses the browser’s database to extract session cookies.
    1. These cookies are stored locally on the system, typically in locations like %localappdata%\Google\Chrome\User Data\Default\Cookies.
    1. Advanced tools like Mimikatz can decrypt protected cookies.
  3. Session Hijacking:
    1. Stolen cookies are imported into the attacker’s browser using tools like “Cookie Quick Manager” (Firefox) or “cookies.txt importer” (Chromium-based browsers).
    1. The attacker now gains access to authenticated user sessions without needing credentials or MFA tokens.
  • Exploitation:
    • Attackers leverage hijacked sessions to gain unauthorized access to critical systems, such as cloud administration consoles, collaboration platforms, and web-based email services.
  • This access can facilitate further attacks, including data exfiltration, lateral movement within networks, or ransomware deployment.

Real-World Vulnerabilities Exploited Through Cookie Session Hijacking

Cookie session hijacking poses significant risks across most of the platforms and industries, so it is not limited to niche applications. We have tested and discovered vulnerabilities in many commonly used services:

  • Email Services (including corporate emails)
    • Web-based email services are one of the most critical assets attackers seek to compromise. By hijacking session cookies, threat actors can bypass traditional authentication, gaining access to email accounts without needing the user’s password or two-factor authentication codes. This access level allows attackers to monitor and even exfiltrate sensitive data, conduct spear-phishing campaigns, reset passwords for other linked services, or impersonate the victim in business correspondence. The repercussions are severe, ranging from data breaches to financial fraud, as attackers use compromised email accounts to pivot and gain access to more valuable assets.
  • Collaboration and Productivity Tools
    • With the rise of remote work, collaboration platforms like Slack, Microsoft Teams, and Google Workspace have become indispensable. Unfortunately, these tools are also vulnerable to cookie hijacking. Attackers who gain access to these sessions can infiltrate internal company communications, steal sensitive documents, and even disrupt workflows. This not only compromises the integrity and confidentiality of internal discussions but can also provide attackers with insights into project timelines, corporate strategies, and employee details, setting the stage for further attacks, such as ransomware or insider threats.
  • Cloud Administration Consoles
    • Perhaps the most concerning are attacks targeting cloud administration consoles. These consoles provide deep access to a company’s digital infrastructure. Hijacked sessions here allow attackers to potentially manipulate cloud resources, disrupt services, or even delete critical infrastructure. The potential damage ranges from service outages to complete data loss, making cloud environments a prime target for sophisticated threat actors.
  • AI Tools like ChatGPT
    • AI tools, such as ChatGPT, have also become targets for cookie session hijacking. Attackers who hijack sessions of AI tools can impersonate users and access sensitive conversations, which may include proprietary or confidential information.
  • Social Media and Messaging Platforms
    • Many popular social media and messaging platforms are particularly vulnerable to cookie-based session hijacking. These platforms often allow users to replicate sessions across devices without requiring additional validation. This convenient feature, intended for user experience, becomes a weak point for security. Attackers who gain access to session cookies can use them to impersonate victims, gaining full access to their accounts, including private messages and sensitive interactions. This form of unauthorized access can lead to identity theft, social engineering attacks, or even brand impersonation to deceive contacts.

Implications for Organizations

Once attackers successfully hijack a session, they often move quickly to exploit the compromised account. For individuals, this can mean loss of privacy, unauthorized purchases, or fraudulent messages sent to contacts. For companies, the impact can be far more devastating:

  • Corporate Espionage: Access to internal communication tools can reveal sensitive business strategies and negotiations.
  • Financial Fraud: Compromised email or cloud accounts can lead to unauthorized transactions or blackmail.
  • Supply Chain Attacks: Attackers can use hijacked sessions to impersonate company employees and target partners or suppliers, leading to a broader compromise of the supply chain.
  • Data Exfiltration: Threat actors can use hijacked accounts to extract sensitive information, which is then sold or used for further attacks.

Conclusion: The Role of Constella.ai in Combating Cookie Session Hijacking

Constella.ai offers an integrated cybersecurity solution that enables organizations to detect and mitigate threats posed by cookie session hijacking. By continuously monitoring for compromised credentials and session cookies, Constella.ai ensures early detection of vulnerabilities, preventing attackers from bypassing MFA or hijacking user sessions. Advanced attack surface mapping and real-time alerts empower organizations to address risks proactively, safeguarding critical systems and sensitive data.

As cyber threats evolve, the ability to detect and neutralize cookie session hijacking will be a cornerstone of organizational security. By implementing robust defenses and leveraging tools like Constella.ai, businesses can stay ahead of attackers, protecting both their operations and their reputation in an increasingly hostile digital landscape.

The Persistent Threat of Ransomware and How Businesses Can Protect Themselves

Alberto Casares on November 21, 2024

Introduction: Ransomware Landscape for Businesses

In recent years, ransomware has become one of the most pervasive cybersecurity threats, inflicting substantial losses on businesses globally. With an increasing number of organizations, from manufacturing to healthcare, falling victim to cyber extortion schemes, attackers are evolving their strategies to maximize impact. Notably, many of these attacks leverage infostealers—a type of malware designed to covertly harvest sensitive information, which is later used to facilitate ransomware operations. This blog delves into recent trends in ransomware, examining how cybercriminals exploit stolen data and the potential costs for organizations that become ensnared in these schemes.

Constella’s Analysis on Recent Ransomware and Data Exposures

Overview of Breaches and Infostealers

Ransomware attacks have escalated across various high-value industries, exploiting their unique vulnerabilities:

  • Manufacturing:
    • Among the most affected sectors due to its reliance on complex data flows and interdependent supply chains.
    • Disruptions in this industry can lead to cascading operational failures across global supply networks.
  • Healthcare:
    • A prime target for its critical systems containing life-saving information and sensitive patient data.
    • Ransomware in this sector poses heightened risks, as providers are often forced to pay ransoms to restore services promptly.
  • Technology:
    • Targeted for its valuable intellectual property and business-critical information.
    • Breaches can disrupt innovation, compromise trade secrets, and damage competitive advantages, as well as compromise access to key security tools relied upon by other companies, amplifying the ripple effect of such attacks.
  • Retail and Finance:
    • Cybercriminals exploit these sectors for their vast repositories of consumer data and financial assets.
    • Stolen data is often sold on the dark web or used for fraud and identity theft.

Ransomware incidents have a global footprint, with certain countries and regions experiencing elevated risks:

  • United States:
    • The most affected country, facing frequent ransomware incidents across critical infrastructure, financial institutions, and healthcare systems.
    • Extensive digital connectivity and high concentrations of essential services make the U.S. an attractive target for cybercriminals.
    • Disruptions not only impact economic stability but also compromise key security platforms, potentially weakening defenses across industries.
  • India:
    • Rapidly expanding digital infrastructure creates multiple vulnerabilities, offering attackers numerous points of entry.
    • Growth in technology and finance sectors increases exposure to ransomware threats.
  • Canada, United Kingdom, and Australia:
    • These countries share similar dependencies on digital infrastructure as the U.S., making them attractive targets for cybercriminals.
    • Critical industries and public services in these nations are frequently disrupted by ransomware attacks, with increasing concerns about attackers exploiting security software providers.
  • Germany:
    • A significant manufacturing hub, Germany’s strong industrial sector makes it particularly susceptible to supply chain disruptions caused by ransomware.
    • Breaches in Germany’s tech-driven industries could compromise tools essential for securing other companies, magnifying the impact of an attack.

The analysis further indicates that breaches involving stolen credentials—many gathered through infostealers—affect more than 86% of recently compromised companies. Specifically, 34.6% of breached organizations reported exposure to infostealer infections, illustrating how attackers infiltrate networks via seemingly legitimate entry points. This data underscores the necessity for robust cybersecurity measures to counteract these sophisticated threats.

How Infostealers Facilitate Ransomware Deployment Within Organizations

Infostealers play a pivotal role in ransomware operations, acting as the silent enablers that pave the way for attackers to infiltrate and compromise organizations. By harvesting credentials and other sensitive information, infostealers provide the initial access points necessary for deploying ransomware.

Infostealers frequently collect session cookies, allowing attackers to bypass authentication mechanisms entirely. This facilitates a rapid ransomware deployment process by giving attackers immediate access to critical systems without triggering security alerts.

On the other hand, infostealers extract credentials for VPNs, remote desktops, email accounts, and administrative tools. These credentials are often used to bypass security measures, such as firewalls and multi-factor authentication, granting attackers unrestricted access to an organization’s internal systems. Once inside, they can escalate privileges and move laterally across the network to identify valuable data and critical systems.

Below are real-world examples that highlight how infostealers are weaponized to infiltrate various organizational systems:

  • VPN Access:
    Compromised VPN credentials can grant hackers a secure entry point into a company’s internal network. A notable example is the $22 million Change Healthcare ransomware incident, where attackers leveraged stolen VPN credentials to infiltrate the network, escalate privileges, and exfiltrate sensitive data before executing the ransomware.
  • Corporate Webmail:
    Hackers exploit stolen email credentials to extract confidential information from employee mailboxes. A high-profile case involved the Argentine police, where hackers obtained over 12,000 police contact details using compromised webmail access.
  • Collaboration Tools:
    Platforms like GitHub, Confluence, and Slack house critical company data. The EA Sports breach, which resulted in the theft of 780 GB of source code, exemplifies the risks associated with infostealer-compromised collaboration accounts.
  • Cloud Services:
    As businesses increasingly rely on cloud platforms, credentials for AWS, GCP, and Azure have become prime targets. A large-scale breach involving Snowflake impacted 165 organizations, including major firms such as AT&T, affecting millions of end users worldwide.

Economic Impact and Costs of Ransomware Attacks

The financial toll of ransomware extends beyond ransom payments, impacting business operations, customer trust, and regulatory compliance. In the case of Change Healthcare, the breach’s overall cost reached an estimated $22 million. Globally, ransomware has already cost organizations billions, with damages encompassing lost productivity, legal fees, and system recovery expenses. The threat is also reputational, as customers and stakeholders scrutinize data protection efforts following a breach.

How Constella Helps Companies Protect and Prevent Attacks

Infostealers are increasingly being used as a precursor to ransomware attacks, making early detection and mitigation critical to organizational security. Constella’s comprehensive approach ensures that any compromised credentials from infostealer infections, including compromised session cookies, are detected and alerted before they can be leveraged by attackers. By identifying these threats early, Constella.ai helps prevent credential abuse and cookie session hijacking attacks, which are commonly used to bypass authentication and escalate ransomware operations.

By combining advanced monitoring, real-time alerts, and proactive defense measures, Constella empowers organizations to protect their networks, data, and reputation from the dual threats of infostealers and ransomware, ensuring a robust line of defense against these evolving cyber threats.

NIST Updated Standards for a Secure Password

Keon Ramezani on November 10, 2024

Your internet account passwords are probably among the most guarded pieces of information you retain in your brain. With everything that has recently migrated to the digital realm, a secure password functions as the deadbolt to your private data.. Hackers understand how valuable this personal data is, and so Account Takeover Attacks—where malicious actors gain unauthorized access to your accounts—remain the most common cyber-attack vector.

Internet users’ passwords are frequently exposed in bulk via password combo lists, which are sets of credentials harvested from data breaches, and this has taught us the importance of using a unique password for every service we sign up for. This prevents a hacker from using your email address and one of your known (exposed) passwords—say, for website A—and checking to see if it successfully logs in to website B, C, D, etc., until they find that it works on website E.

With that said, even if all of your passwords are unique, if they are often not complex enough or of adequate length, hackers can often succeed in guessing your current passwords by using permutations of your previously exposed passwords, known information about you, or even checking against a list of commonly used passwords.

How Do We Know What Constitutes A Secure Password?

The National Institute of Standards and Technology (NIST) is an organization that helps us with this. NIST researchers create drafts for things like password requirements, publish them for a community of experts to submit their comments, and compile a published standard. Therefore, whenever you’re asked to create or reset a password and are given a set of requirements the password must meet, these are based on standards most likely set forth by NIST. It’s important for any organization that manages users’ passwords to stay up to date with NIST requirements for passwords.

One example of an existing NIST password standard is checking for exposed passwords against previous data breaches. For several years now, NIST publication 800-63B has included the need to check with previously exposed passwords in data breaches. “When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly used, expected, or compromised. For example, the list MAY include, but is not limited to, passwords obtained from previous breach corpuses.” This helps ensure that users are no making their accounts more vulnerable by using a known-exposed password.

NIST recently published a new draft standard for passwords, adding new recommendations to make passwords even stronger; below are the suggested changes and why they’re important:

  1. Require passwords to be a minimum of 8 characters, with a recommended minimum length of 15 characters.
    1. Why this is important: The longer your password is, the harder it is to guess your password. Even when trying to guess your password via brute force, long passwords require significant computing time, even for advanced computers, to guess correctly.
  2. Allow passwords to be up to 64 characters long.
    1. Why this is important: Again, longer passwords are more secure. Allowing users up to 64 characters creates even more secure passwords.
  3. Accept all printing ASCII [RFC20] characters and the space character in passwords.
    1. ASCII characters represent the rudimentary western characters used in typing—there are 95 printing characters in the ASCII set.
    1. Why this is important: Allowing all printing ASCII characters is like having more colors to paint with. Consider being asked to create a 4-digit password using only numerals. We know there are only 10,000 possible combinations since there are only 10 numerals, zero through nine, and a series of four of them means we have a possible 10 raised to the 4th power combinations. Now, consider a 4-character password that allowed all 95 ASCII printing characters; that’s 95 raised to the power of 4, or 81,450,625 possible combinations. That creates a much more secure password because it is exponentially more difficult to guess.
  4. Accept Unicode [ISO/ISC 10646] characters in passwords, with each Unicode point counting as a single character towards password length.
    1. Unicode is an international standard for written characters and emojis, covering 168 modern and historical scripts and symbol sets, encompassing a total of 155,063 total characters.
    1. Why this is important: This expands on the benefit of allowing all ASCII characters, but with exponentially larger results. If we repeat our thought experiment of creating a 4-character password, but each character can be one of 155,063 possibilities, we wind up with 578,139,610,000,000,000,000 possible combinations—and that’s with a 4-character password, which is only half the minimum required password length.
  5. Stop requiring arbitrary password complexity, like forcing the use of special characters or a mixture of numbers, letters, and symbols.
    1. Why this is important: It may seem counterintuitive, but research shows that this is a beneficial change. The option to use special characters is excellent for those who want an additional layer of security; however, longer passwords are more effective than short and complex passwords and are typically easier to remember too.
    1. This XKCD comic does a great job of explaining this concept: https://xkcd.com/936/
  6. Stop requiring periodic password resets on specified intervals unless there is evidence of password compromise.
    1. Why this is important: Have you ever logged in to your computer at work, only to be forced to change your password because 90 days had elapsed since you had last changed your password? This can be extraordinarily frustrating, as you may have a perfectly good password that you can actually remember, but now are forced to change it. In theory, this may sound like a good idea, but when you apply human behavior to the mix, you’re more likely to compel the user to create a weaker password. Consider that you know you’ll be required to change your password every so often—it’s only natural to select a password that fits into a sequence or follows a pattern, because of course that’s easier to remember. But a sequence of passwords that follow a pattern aren’t much more secure than the first password in the sequence.

But should there be an indication of a problem—it’s not a bad idea to compel password changes. For example, if your password is found exposed on the dark web, this is an excellent time to change it. Or if your organization suffers a security incident where it’s believed users’ passwords may have been compromised, this is a great time to change your password. But absent any evidence of such problems, it may be best to let users keep their passwords the same.

  • Stop allowing users to save password hints.
    • Why this is important: Password hints can be helpful to both the account owner and a hacker trying to gain access to the account. Getting rid of password hints makes it that much more difficult to get into your account.
  • Stop requiring users to answer security questions to reset forgotten passwords.
    • Using security questions (i.e., What was your favorite teacher’s name?) to authenticate the user’s identity presents another weak point—as a hacker may be able to guess your answers to security questions. In the event of a forgotten password, it’s best to verify the user’s identity through other methods before allowing them to reset their password.
  • Verify the entire password, not a truncated/substring of the password.
    • Why this is important: This guideline is for what NIST calls “verifiers,” or the entity that verifies you’ve entered the correct password (i.e., the site you’re logging in to). Unfortunately, it is somewhat commonplace to truncate the entered password, usually due to technical limitations. For example, if an app is only designed to store eight-character passwords, but allows users to create longer passwords, it might only consider the first eight characters of the password when authenticating the user. Clearly, this undermines password minimum length, and therefore NIST recommends that the entire password is considered.

Even with these modernized guidelines for optimal password security, the unfortunate reality remains that passwords are exposed on the dark web by malware known as info stealers, and hackers work to find ways to guess and crack passwords. This is where Constella Intelligence comes in—with the largest data lake of exposed passwords and PII; you can leverage Constella’s data to determine if you or your users have a compromised password or any vulnerabilities hackers can exploit to gain unauthorized access to your accounts. Contact us today for a demo.

Potential Cybersecurity Threats to the 2024 U.S. Election: Voter Database Leaks

Laura Bruck on November 5, 2024

As the 2024 U.S. presidential election takes place, cybersecurity analysts are on high alert, warning of voter database leaks. They are warning of an increasingly complex landscape that could jeopardize voter data security and election integrity due to voter database leaks. The face-off between Kamala Harris and Donald Trump has intensified the focus on ensuring that electoral systems remain secure and resilient against potential cyberattacks.

It is crucial to protect against breaches, leaks, and disinformation campaigns that could influence public trust and democratic outcomes. Drawing insights from Constella Intelligence, this analysis examines the specific risks and incidents shaping the current election season.

U.S. Voter Data Leaks: A Persistent Threat

The United States has become a major target for voter data leaks, experiencing significant breaches that expose a wide range of personal information. Moreover, voter data from these breaches is being actively traded on deep and dark web forums, posing an ongoing risk to voter privacy and security.

Constella Intelligence’s findings show that U.S. voter data leaks account for approximately 78% of all voter data circulating on the dark web, underscoring the nation’s unique vulnerabilities stemming from its decentralized electoral system and vast voter data infrastructure. In the U.S. alone, 23 states have suffered data breaches, impacting regions nationwide and exposing significant weaknesses in the protection of sensitive voter information.

Key examples include Florida, Texas, Michigan, and Wisconsin. Given that there are 50 states in the United States, this means that approximately 46% of states have been affected by voter data breaches, reflecting the widespread and systemic nature of these vulnerabilities.

Notable incidents since 2020 illustrate the scope of these breaches:

  • Oklahoma: As shown in the previous image, a dark web forum post offered the 2024 Oklahoma voter list, including absentee voters, with instructions for accessing sensitive information for political purposes.
  • Florida: Multiple significant leaks have affected Florida, including incidents in April 2020 and March 2022. These repeated exposures highlight the challenges in securing voter information in large states with complex voter registration systems and higher volumes of data, which increase their vulnerability to breaches.
  • Wisconsin: A 2020 data leak compromised millions of voters, including such personal information as emails, names, phone numbers, and full addresses, showing how even isolated breaches can undermine public trust and voter security.
  • Other States: States like Oklahoma, North Carolina, Pennsylvania, Michigan, Delaware, Texas, and Alaska have also reported leaks, some of which date back as far as 2013. These incidents highlight the systemic difficulties in securing voter data across state lines.

Of the 23 affected states, voter data breaches have impacted both Democratic and Republican strongholds, as well as crucial swing states, highlighting the widespread nature of the threat regardless of political affiliation or regional importance.

  • Approximately 45% of Democratic-leaning states and 50% of Republican-leaning states have experienced data breaches.
  • Key swing states (5%) such as Florida, Georgia, or Pennsylvania have also been impacted. Swing states are particularly important because they often decide the overall outcome of elections, making any breach in these regions potentially more impactful.

This broad geographic spread means that voters from both parties, along with undecided voters, could be affected, potentially impacting voter turnout and election trust.

Emerging Cyber Threats and Manipulation Risks in the 2024 Election

In addition to voter data leaks, other cybersecurity threats could impact the 2024 U.S. election, such as disinformation campaigns, targeted voter suppression, and foreign interference. Constella Intelligence has identified several notable cases:

  • Campaign-Related Data Breaches (2024): A potential breach linked to Donald Trump’s campaign emails, allegedly involving foreign entities, exposed sensitive data. This underscores the risks posed by foreign influence operations.
  • National Public Data Leak (2024): A 2024 incident exposed million records, including sensitive information of million U.S. voters, highlighting ongoing vulnerabilities in protecting voter data.
  • RNC Leak (2017): This breach affected millions of voters, exposing personal details like birth dates and political affiliations. The data was used in predictive models, suggesting a risk of similar information being exploited to manipulate voter perceptions in the 2024 race.

These breaches illustrate the persistent risks of data misuse, identity theft, and election manipulation, each capable of eroding public trust in the democratic process.

Global Perspective: Voter Data Leaks Beyond the United States

Although U.S. voter data leaks are the most prevalent, other nations have also experienced significant breaches, especially during election cycles. Notable examples include:

  • Mexico: High-profile breaches occurred in 2017 and 2021, including targeted attacks on political organizations like the Partido Acción Nacional (PAN).
  • Israel: The 2020 elections saw a significant voter data breach, illustrating vulnerabilities even in nations with advanced cybersecurity frameworks.
  • The Philippines and India: The Philippines experienced a leak in 2016, and India faced a breach in 2024, demonstrating that populous democracies remain attractive targets for cybercriminals.
  • Other Nations: Countries like Iraq, Honduras, and Ukraine have also reported voter data breaches, underscoring the global nature of these threats.

Impact and Risks: Manipulating Election Outcomes Through Exposed Voter Databases

Beyond data leaks, the risks extend to manipulation tactics that leverage this exposed information. When voter databases are exposed, the personal and political information they contain can be weaponized to manipulate election outcomes in various ways:

  1. Targeted Disinformation: Threat actors can use leaked data to send misleading messages, such as false voting locations or procedures, potentially causing voters to miss their opportunity to vote.
  2. Voter Suppression Tactics: Leaked data allows cyber actors to discourage specific voters from participating by sending intimidating or misleading messages.
  3. Identity Manipulation for Fraudulent Voting: Using personal details from leaked databases, malicious actors could impersonate registered voters to submit fraudulent ballots or alter voter rolls, causing confusion at polling stations.
  4. Amplifying Polarization: By leveraging insights into voter preferences, cyber actors can create messages that heighten political divisions, influencing voters through emotional manipulation rather than factual discourse.

These tactics threaten not only individual privacy but also the integrity of the election process. When personal information is exposed, it can be used to manipulate voters, distort their perceptions, and ultimately undermine the fairness of the election. This direct impact on voter behavior erodes confidence in democratic institutions and the legitimacy of the results.

Threat Narratives: Misinformation and Disinformation Linked to Voter Data Leaks

Disinformation narratives pose significant threats because they can manipulate public perceptions and erode trust in democratic institutions. Constella Intelligence has identified several such narratives that could shape public opinion on the Dark Web:

  • Electoral Fraud: We have uncovered several threads discussing how leaked voter data could be used to manipulate voter intentions. Some threat actors allege the presence of ‘fake election officials’ in Pennsylvania, the removal of mailboxes in Luzerne County, and reports of ‘a box full of ballots’ discovered in Dade County, Florida. Additionally, claims about the purging of ineligible voters in Oklahoma, including deceased individuals, coupled with a previous voter list leak in the state, raise concerns about potential manipulation of the electoral system. These posts reflect the growing polarization among citizens and contribute to speculation around voter manipulation. However, we have not conducted further investigation into these claims.
  • Political Corruption: False narratives also target political figures, especially Kamala Harris and the Obamas. Harris is accused of plagiarism in her criminal justice book and collaborating with foreign countries to spy on Trump.
  • Russian Disinformation Campaign: The U.S. intelligence community has reported that Russian actors could be actively spreading false information to undermine public confidence in the integrity of U.S. elections, especially in key swing states. This includes creating fake videos and articles suggesting election fraud, ballot stuffing, and cyber attacks in places like Arizona, targeting specific candidates such as Kamala Harris.
  • Deep State: The idea of a ‘deep state’ aiming to control the country and silence opposition is frequently repeated. Steve Bannon, for example, is portrayed as a ‘political prisoner.’ Claims also suggest that this ‘deep state’ controls the media and censors information that could expose its actions.
  • QAnon Conspiracy Theories: Some narratives align with QAnon conspiracy theories, such as mentions of ‘Agenda 47’ and references to Q. These theories, which speak of a satanic cabal controlling the world, are popular among some right-wing groups in the U.S. and often intersect with narratives about electoral fraud and political corruption.

These narratives significantly threaten democratic stability by promoting misinformation, eroding public trust, and influencing voter behavior. Data from voter databases could further be used to create targeted misinformation campaigns, aimed at voters who are already inclined to believe these narratives, thus deepening their impact on democratic processes.

Recommendations for Securing Voter Data and Upholding Electoral Integrity

In response to the rise in voter database breaches, Constella Intelligence recommends proactive measures for citizens to safeguard their data:

  1. Understand Your Digital Footprint: Stay informed about the personal information that is publicly accessible, including voter data and details from breaches like the NPD leak. By being aware of what information is exposed, you can take steps to protect yourself from threat actors who may attempt to exploit this data, especially during sensitive periods like Election Day.
  • Enable Two-Factor Authentication (2FA): Strengthen account security by using 2FA, which makes unauthorized access more difficult.
  • Be Mindful of Social Media Posts: Exercise caution with what you share or read on social media, as AI tools now make it easier than ever to create convincing fake content. Threat actors can exploit personal information or posts to manipulate narratives, spread disinformation, or target individuals during critical times like Election Day.
  • Be Cautious of Phishing Attempts: On Election Day, be especially wary of unsolicited messages claiming to provide election updates or voter information. Avoid clicking on links or downloading attachments, as scammers frequently use these tactics to steal personal data or spread disinformation during critical events like elections.

Stay vigilant against potential threats, from voter data breaches to disinformation, and take steps to protect your personal information. As you head to the polls, remember the importance of safeguarding our democratic process. Enjoy your Election Day, and best wishes to you all, America!

The Future of Identity Protection: Real-Time Threats and Scams

Alberto Casares on November 5, 2024

In today’s digital landscape, protecting your identity from real-time threats is more critical than ever. As a cybersecurity expert, I’ve seen an evolving spectrum of threats that go far beyond traditional identity theft. From classic dark web doxing to the advent of fullz—full identity kits sold for a few dollars—threat actors are leveraging these methods for a new breed of real-time scams, amplified by cutting-edge technology.

Recently, a project by Anh Phu Nguyen  and Caine Ardayfio demonstrated the capability to integrate facial recognition technology with Meta’s smart glasses, allowing instant identification of strangers. This development marks a significant leap from the traditional static forms of identity theft into real-time exploitation, where personal information is weaponized in the moment.

Classic Doxing and Fullz on the Dark Web

For decades, doxing and the sale of fullz (complete identity kits) have been staple methods of cybercriminals on the dark web. Doxing involves collecting and publicizing personal information such as home addresses, phone numbers, and social media profiles, often with the intent to embarrass, harass, or intimidate. OSINT tools (Open-Source Intelligence) allow attackers to scrape social media profiles, public databases, and breached datasets to compile detailed profiles on their victims. Once exposed, this data is used for targeted harassment or extortion.

Meanwhile, fullz provide a more comprehensive set of personal details, typically including social security numbers, financial data, and other sensitive information that can be exploited for identity theft. The sale of fullz on dark web marketplaces has enabled identity theft and financial fraud on a massive scale. For a relatively small fee, threat actors can purchase a victim’s entire identity, making it easy to perform account takeovers, create fake profiles, or apply for credit in the victim’s name.

In the past, these methods were effective but static. Attackers could steal and use personal data long after it was exposed. Today, however, advancements in technology have transformed these identity theft techniques into dynamic, real-time threats.

Real-Time Identity Exploitation: The New Era of Scams

The rise of facial recognition technology combined with wearable devices, like Meta’s smart glasses, introduces a new dimension to identity theft. By pairing this real-time data collection with pre-existing fullz or other doxing techniques, threat actors can instantly exploit an individual’s identity on the fly.

real-time threats

In this I-XRAY demonstration, Meta’s smart glasses were modified to scan faces in public, instantly cross-referencing them with public social media data and possibly with compromised identity information. Imagine walking down the street, unaware that someone can identify you, access your data, and target you with personalized scams—all in real time. This shift turns identity theft into a real-time, hyper-targeted activity.

Here’s how this modern version of doxing and scamming might unfold:

  • Real-time recognition: A malicious actor equipped with facial recognition on smart glasses could walk through crowded public spaces and instantly identify individuals based on a match with their leaked photos from social media or other sources. This is no longer hypothetical; the proof-of-concept has already been demonstrated.
  • Instant exploitation: Once an individual is identified, scammers could access their leaked fullz from the dark web, providing them with a detailed set of personal information. They could then approach the target in real-time, pretending to know them, creating a social engineering scenario where the victim believes the scammer is a legitimate acquaintance or authority figure.
  • On-the-spot phishing: Imagine being approached by someone who knows your full name, email, address, and the last few digits of your social security number. When they ask you to verify some information the victim could easily fall into the trap of handing over even more sensitive information—like bank account details—without realizing they’ve been scammed until it’s too late.

The Role of AI in Amplifying Real-Time Threats

AI plays an integral role in the future of identity scams. It allows for the rapid analysis and deployment of identity data, enabling new, sophisticated scams that were previously unimaginable. Here are several ways AI can enhance these real-time threats:

  • AI-Powered Deepfakes: Threat actors can combine AI-generated deepfakes with real-time data to impersonate individuals in both video and audio formats. By using AI to craft believable but fake messages or phone calls, scammers can extort or deceive people more convincingly than ever before.
  • Automated Identity Theft at Scale: AI tools can automate the collection and correlation of personal data across multiple sources—social media, leaked data, and public records—faster than any human could. This allows threat actors to assemble profiles on victims quickly, accelerating identity fraud.
  • Behavioral Analysis and Predictive Attacks: AI can analyze online behaviors to predict the types of scams most likely to succeed on a given target. For example, someone frequently searching for job opportunities could be targeted with a fake job offer, exploiting the victim’s immediate needs.

Insights from Experts: Combating Modern Threats

As highlighted previously, cybersecurity in the age of AI and real-time technologies requires an updated approach. The reliance on static data protection strategies, such as password managers or even two-factor authentication, is no longer sufficient. We need to implement dynamic identity monitoring, where AI-driven systems track unusual behavior related to your digital presence in real-time.

How Constella is Protecting Your Identity

At Constella, we are dedicated to staying ahead of evolving threats by leveraging cutting-edge AI technologies and continuous monitoring to provide comprehensive identity protection. Our unique approach not only covers traditional dark web monitoring but also focuses on a broader range of sources across the surface web, ensuring a proactive stance against emerging scams and data leaks. Here’s how we’re tackling the future of identity theft:

  1. Real-Time Identity Alerts: Our system is designed to provide real-time alerts when personal information is exposed across both the surface web, data brokers, and the dark web. Unlike traditional solutions that focus solely on the dark web, Constella offers a multi-source approach. This comprehensive coverage allows us to detect threats before they escalate, offering early warnings on a broader scale than any single-source monitoring service.
  • Advanced Dark Web Monitoring: We continuously scan the dark web to detect any exposure of your personal information, whether it has been compromised by infostealers or exposed through data breaches. Our unique approach involves not just scraping the dark web but correlating this data with surface web activities, giving you a more holistic view of your identity exposure. This enables a faster response to potential threats before they result in fraud or exploitation.
  • AI-Driven ScamGPT: Leveraging our proprietary AI technology, ScamGPT simulates potential scams that you may be targeted by using your own exposed personal information. This proactive approach allows us to train you before threat actors attempt a real attack, helping you recognize and avoid personalized phishing schemes, social engineering attempts, and other forms of exploitation. By generating potential scam scenarios based on your specific data profile, we ensure you are better prepared for what’s coming, long before the attackers strike.
  • Surface of Attack Mapping: Constella’s unique AI technology creates a detailed view of your real surface of attack, analyzing how your compromised information could be used against you. Using algorithms developed in collaboration with law enforcement agencies (LEAs), we connect the dots in the same way threat actors do, identifying all possible avenues they could exploit to target you. This approach allows you to see your vulnerabilities from the perspective of an attacker, enabling you to take targeted actions to secure those areas before they become active threats.

By integrating these advanced tools and methodologies, Constella provides a comprehensive identity protection solution designed to stay one step ahead of modern identity theft techniques. Our AI-driven insights ensure that you are equipped to defend against both current and future threats, safeguarding your personal information in an ever-changing cyber landscape.

Inside the Dark Web: How Threat Actors Are Selling Access to Corporate Networks

Alberto Casares on October 21, 2024

In recent weeks, underground forums on the dark web have continued to flourish as bustling marketplaces where cybercriminals sell unauthorized access to corporate networks. From VPN credentials to Remote Desktop Protocol (RDP) access, threat actors take advantage of compromised corporate environments, often leveraging data from recent breaches or stolen via infostealers. This analysis highlights the trends observed in the last few weeks, shedding light on the types of actors involved, the most targeted countries and sectors, and the types of access being traded.

Selling Access to Corporate Networks Through Key Actors on Underground Forums

In just the last few weeks, over 250 distinct threat actors have been identified on underground forums, all involved in selling access to corporate networks. These actors can be divided into two major categories:

  • Individual cybercriminals – Typically specializing in phishing attacks or leveraging malware like infostealers, these individuals focus on lower-value or opportunistic attacks.
  • Organized cybercrime groups – These structured groups act as access brokers, offering extensive credential dumps and long-term, persistent access to corporate environments. Their capabilities are far more advanced, often involving sophisticated breaches and after-sale services to ensure buyers can maximize the value of the access.

Breakdown of Threat Actors:

  • 60% of the identified actors are individuals, concentrating on smaller, low-value targets, often selling low-risk access points.
  • The remaining 40% are part of coordinated cybercriminal groups, focusing on high-value targets with comprehensive access that often includes post-sale support like lateral movement within networks and privilege escalation.

These actors don’t just stop at initial access. A significant number of them provide additional services, such as helping buyers navigate through compromised corporate systems and avoid detection. The after-sale support offered by these groups often includes technical assistance to move laterally within the network and maintain persistent access, ensuring attackers can continue exploiting their entry points over time.

The data from just a few weeks offers a window into the vast and diverse ecosystem of cybercrime thriving on underground forums. This highlights the rapidly evolving nature of these threat actors and underscores the need for corporations to stay vigilant against an ever-growing array of cyber threats.

The persistent activity observed emphasizes the continuous development of more advanced methods to breach and exploit corporate environments, making it clear that cybersecurity must remain a top priority for organizations across all sectors.

Most Targeted Countries

Recent data from underground forums shows that threat actors are targeting companies and institutions across multiple continents, with a clear focus on high-value sectors like finance, technology, government, and energy. Here’s a summarized breakdown of the affected countries and continents:

North America

  • United States: Primarily targets in the financial and technology sectors.
  • Canada: Focus on financial and real estate sectors.
  • Mexico: Targets include government agencies and financial services.

Europe

  • Russia: Focus on energy and government sectors.
  • Poland: Targets in the manufacturing sector.
  • United Kingdom: Primarily financial services and wealth management.

Asia

  • Israel: Focus on finance and technology sectors.
  • Japan: Targets in educational and technology firms.
  • India: Significant focus on IT and outsourcing sectors.

South America

  • Brazil: Targets in the financial and government sectors.

Middle East

  • Iran: Focus on educational institutions.

Africa

  • South Africa: Limited but significant interest in the financial sector.

Recent Data Trends in Cybercriminal Targeting & Selling Access to Corporate Networks

The latest data from underground forums indicates a growing focus on three main sectors: finance, education, and real estate. These sectors are increasingly becoming targets for cybercriminals, primarily due to the wealth of sensitive information they hold and their operational importance.

Finance Sector

Access to financial services firms has become one of the most common offerings on underground forums. Financial institutions are especially vulnerable because they manage vast amounts of sensitive data, from customer information to transaction details. This data is not only valuable for direct financial gain but also for long-term exploitation, such as fraud and identity theft.

Threat actors are selling access to financial organizations, particularly banks and investment firms, that control billions in assets. These listings often include VPN and RDP access to corporate networks, allowing attackers to infiltrate the system and potentially deploy ransomware or steal sensitive data. Cybercriminal groups see this as a high-return opportunity, especially since financial institutions are often willing to pay ransoms to recover their operations quickly.

Education Sector

Educational institutions, particularly large universities with many employees and students, are becoming frequent victims of cyberattacks, especially ransomware. Schools and universities hold sensitive intellectual property, personal student data, and research information, making them attractive targets. Attackers frequently exploit this data by using stolen credentials obtained from phishing or malware campaigns. Once inside, they can lock down critical systems and demand a ransom, often crippling educational services and access to essential resources.

This rise in attacks on educational institutions aligns with the broader trend of ransomware-as-a-service (RaaS), where organized cybercriminal groups offer ransomware to affiliates, who then launch attacks and split the ransom payments. Educational institutions, especially those involved in cutting-edge research or government-sponsored projects, are prime targets for these sophisticated, high-impact ransomware campaigns.

Real Estate Sector

The real estate sector is another emerging target for cybercriminal groups, with listings for real estate firms becoming more common. These companies hold critical data on property ownership, transactions, and financial dealings, making them attractive to attackers seeking to steal valuable information or disrupt operations. The real estate industry also relies on secure networks to manage large transactions and sensitive communications, further making it a target for ransomware and data exfiltration.

Ransomware-as-a-Service (RaaS) Influence

Organized cybercriminal groups are increasingly using RaaS to monetize stolen data. This model allows cybercriminals to sell access or share ransomware tools with affiliates who conduct the attacks, splitting profits with the developers of the ransomware. The shift toward this model has lowered the barrier to entry for cybercriminals, allowing even low-skilled attackers to participate in high-impact attacks. Institutions in the finance, education, and real estate sectors are prime targets for RaaS-based attacks because of the high potential for extortion, intellectual property theft, and operational disruption.

Overall, the convergence of RaaS with sector-specific targeting demonstrates how organized cybercrime is evolving, with specialized groups focusing on high-value sectors that are more likely to pay ransoms or suffer significant disruptions from attacks.

Links to Public Breaches and Infostealers

Much of the data traded for corporate access originates from well-publicized breaches or is harvested via infostealers. These infostealers, like Vidar and Redline, are frequently used to siphon login credentials from compromised devices. These credentials are then sold in bulk on underground forums or offered as part of access packages.

One prominent example is the sale of credentials linked to a breach at a North American financial institution. The listing offered RDP access to the company’s network, likely obtained through a combination of phishing and infostealer malware. Similarly, credentials linked to healthcare organizations and university networks in the U.S. and Canada have been offered for sale, highlighting how infostealers play a critical role in these underground economies.

Types of Access Sold

The most commonly sold types of access on these forums include VPN credentials, RDP access, and increasingly, cloud platform access. VPN credentials allow buyers to gain access to secure corporate networks by bypassing firewalls, while RDP access grants full control over a target machine, allowing attackers to move laterally within the system and escalate privileges.

Cloud platform access is also becoming more prevalent as companies move critical infrastructure to cloud services like AWS and Azure. Listings advertising admin access to a company’s cloud infrastructure, such as AWS environments, have attracted interest, as cloud-based environments represent a significant attack surface for organizations.

The Importance of Comprehensive Corporate Protection

Many of the cyberattacks observed on underground forums are rooted in data obtained from data breaches or infostealers, highlighting the urgent need for organizations to expand their security focus beyond traditional corporate credentials. While many companies concentrate their defenses on securing credentials from corporate devices, cybercriminals do not discriminate between data obtained from corporate or personal devices. Their sole interest is in accessing valuable data from targeted or attractive companies.

For threat actors, it doesn’t matter if credentials were compromised on a work-issued laptop or a personal device; as long as the credentials grant access to sensitive corporate systems, they are of high value. This means that companies must protect all potential entry points—both professional and personal. Employees often use the same passwords across platforms or access corporate resources from personal devices, creating a significant vulnerability.

On the other hand, there is another important issue because many organizations continue to rely heavily on Multi-Factor Authentication (MFA) and VPN solutions as their primary security mechanisms. However, recent studies, such as those by Constella Intelligence, have demonstrated that these protections are no longer as foolproof as once believed. Infostealers—malware designed to harvest login credentials and other sensitive information—have proven effective at bypassing these security measures. Threat actors can use stolen data to circumvent both MFA and VPN mechanisms, rendering them ineffective against sophisticated attacks.

In particular, infostealers can capture session tokens, cookies, and authentication tokens that allow attackers to bypass MFA entirely. Even if a corporate system requires two-factor authentication, attackers can replay these tokens to gain unauthorized access. Likewise, VPN protections can be bypassed if attackers obtain the necessary credentials and tokens, allowing them to enter corporate networks as legitimate users without raising red flags.

This growing threat underscores that, while MFA and VPNs are important components of a security strategy, they can no longer be the sole lines of defense. Organizations need to adopt more advanced security measures that address the vulnerabilities exposed by credential-based attacks.

Escalation of Cyber Warfare in the Israel-Palestine Conflict: A Deep Dive into Recent Israeli Breaches

Alberto Casares on October 16, 2024

The geopolitical conflict between Israel and its adversaries has shifted into the digital sphere, where sophisticated cyberattacks have become a primary tool for targeting critical sectors. In recent months, cyberattacks have exposed Israeli defense data, diplomatic communications, and sensitive civilian information. Among the prominent players in this cyberwarfare is the Handala Group, a hacktivist entity leveraging advanced persistent threat (APT) tactics to disrupt Israeli operations. Other actors, such as EagleStrike and the Hunter Killer hacker group, further complicate Israel’s cybersecurity landscape.

This blog analyzes recent Israeli breaches, the types of data compromised, and the strategic implications of these attacks, offering insights into the evolving digital conflict.

Handala’s Cyber Campaign: Recent Breaches Targeting Israel

In the past few months, Handala has launched a series of attacks across various sectors in Israel, targeting critical infrastructure, government entities, and individual high-profile figures.

1. Doscast Hacked (October 10, 2024)

Handala targeted Doscast, a major audio platform for the ultra-Orthodox Jewish community. This attack disrupted the platform, which hosts a variety of commentators and conversationalists, exposing its vulnerabilities and impacting its wide user base. The symbolic nature of this hack underscores Handala’s ideological objectives, as Doscast is a prominent site within the religious community.

2. Ambassador of Israel in Germany Emails (October 8, 2024)

Handala compromised 50,000 emails from Ron Prosor, the Israeli Ambassador to Germany and former senior Mossad officer. The leaked emails expose sensitive diplomatic communications, potentially affecting Israel’s foreign relations. This breach also highlights Handala’s aggressive tactics, as they included personal threats against Prosor, claiming constant surveillance over his activities.

3. Max Shop Hacked (October 8, 2024)

The breach of Max Shop, a cloud-based terminal system used in over 9,000 stores, resulted in the theft of 1.5TB of data. The attack defaced store kiosks and sent threatening messages to 250,000 Israeli citizens. This attack directly impacted retail operations and exposed personal information, further heightening concerns over civilian data security.

4. Israeli Industrial Batteries (IIB) Leak (October 6, 2024)

Handala released 300GB of data from IIB (Israeli Industrial Batteries), a company involved in providing energy storage infrastructure to Israel’s military and defense sectors. The breach of IIB threatens the resilience of Israel’s defense logistics, particularly its energy-dependent military operations.

5. Shin Bet Hacked (October 3, 2024)

Handala successfully breached the Shin Bet’s security system, compromising their exclusive mobile security application used by officers. This attack poses a significant risk to Israel’s internal security, potentially exposing confidential communications, field agents, and counterterrorism operations.

6. Israeli Prime Minister Emails (October 2, 2024)

The group leaked 110,000 secret emails belonging to former Prime Minister Ehud Barak. Handala claims to have been surveilling Israel’s leadership for decades. This breach exposes sensitive government discussions, further undermining Israel’s internal political operations and national defense strategies.

7. Soreq Nuclear Research Center (September 28, 2024)

Handala targeted the Soreq Nuclear Research Center (NRC), a key nuclear research facility in Israel. The group claims to have stolen comprehensive data, including emails, infrastructure maps, personnel details, and administrative documents. This breach could severely compromise Israel’s nuclear capabilities and has far-reaching implications for national security.

8. Israeli Foreign Affairs Minister Emails (September 26, 2024)

Handala exposed 60,000 emails belonging to Gabi Ashkenazi, former Minister of Foreign Affairs and Chief of General Staff of the Israeli Armed Forces. The breach includes communications that could be used to disrupt Israel’s foreign policy initiatives, further eroding trust in the nation’s cybersecurity capabilities.

9. Benny Gantz Hacked (September 23-24, 2024)

Handala published 35,000 confidential emails and 2,000 private photos of Benny Gantz, the former Defense Minister. The group’s goal is not only to embarrass the official but to expose internal defense discussions. This breach is a significant escalation in the group’s attacks on individual high-profile figures, highlighting the personal risks involved for Israeli officials.

EagleStrike and the Hunter Killer Leak (September 2024)

On September 30, 2024, EagleStrike exposed a comprehensive data breach facilitated by the Hunter Killer group. The leak included critical Israeli state data, including:

  • Israel MFA Access: Over 370GB of data from the Ministry of Foreign Affairs was compromised, including remote desktop access (RDP) and SharePoint credentials. This breach threatens Israeli diplomatic operations and international communications.
  • Mossad Email Server Dump: 27,000 emails were leaked, revealing sensitive information from 2017 to 2023. This exposes Mossad’s covert operations and intelligence-gathering efforts, placing Israel’s security at significant risk.
  • Defense Contractors: Data from Rafael Advanced Defense Systems and Elbit Systems was also part of the breach. Intellectual property and defense technology information were exposed, severely impacting Israel’s defense development.
  • Military and SCADA Systems: Handala obtained access to 70 SCADA systems, which control critical infrastructure such as water and energy. The potential sabotage of these systems could lead to widespread service disruptions or worse, physical damage to key facilities.

Handala’s Extortion Tactics and Ransomware Campaigns

Handala is not only focused on cyber sabotage but also engages in ransomware and extortion, often targeting high-value industries. Notable ransomware campaigns include:

  • Healthcare Sector (February – June 2024): Handala targeted hospitals and healthcare organizations, demanding 8 BTC (~$569,252 USD) in ransom. This campaign involved the theft of patient records and financial data, crippling healthcare operations.
  • Defense and IT Sectors (March – May 2024): Handala launched coordinated attacks on Israel’s defense contractors and IT services. These breaches exposed proprietary technologies and military secrets, undermining Israel’s defense infrastructure.

Extortion Methods: Handala’s extortion model involves leaking data through Clearnet and TOR sites, alongside Telegram channels, if ransom demands are not met. These platforms enable Handala to continuously publicize their exploits and pressure victims.

Impacts on Israeli Citizens: Identity Theft and Civil Disruptions

While the breaches targeting government and military entities are alarming, Handala has increasingly targeted civilians, amplifying public concern over data security.

Max Shop Hack (October 2024)

This attack affected over 9,000 retail systems across Israel, leaking 1.5TB of personal and financial data from 250,000 Israeli citizens. Beyond the direct financial losses, victims are vulnerable to identity theft and phishing schemes. The hack demonstrates Handala’s capacity to disrupt civilian life and further erodes public trust in data security.

Identity Theft and Phishing Risks:

  • Financial Loss: Stolen identities can be used to open fraudulent bank accounts and apply for credit.
  • Phishing Campaigns: Detailed personal data enables highly targeted phishing attacks, further compromising individual security.
  • Long-term Privacy Concerns: Once personal data circulates on dark web markets, it remains accessible, prolonging the risk of exploitation.

Conclusion

Handala’s cyber campaigns against Israel mark a significant escalation in digital warfare. Their attacks on critical infrastructure, defense systems, and civilian sectors have exposed substantial vulnerabilities. These breaches not only undermine Israel’s national security and diplomatic standing but also pose severe risks to individual citizens through identity theft and financial fraud.

Israel must implement a multi-layered defense strategy that includes strengthening its cybersecurity infrastructure, enhancing public awareness, and fostering international cooperation. With adversaries like Handala continuing to innovate their tactics, robust defense measures are essential to safeguard the nation’s critical assets and its people.

How Cybercriminals Use Stolen Data to Target Companies — A Deep Dive into the Dark Web

Alberto Casares on October 6, 2024

The digital world has revolutionized the way we live and work, but it has also opened up a new realm for cybercriminals. The rise of the dark web has provided a breeding ground for hackers and other malicious actors to trade stolen data and launch attacks against companies worldwide. This blog post provides a summary of some of the trends observed over the past few days, highlighting how threat actors are using compromised data to exploit businesses, the sectors most impacted, and the dynamics of this underground market.

Cybercriminal’s Hidden Market for Stolen Data

Imagine an underground marketplace bustling with activity — vendors selling hacked streaming service accounts, buyers bidding on cloud storage credentials, and a community exchanging tips on how to bypass security features. This is the reality of the dark web, where forums like BreachForums act as virtual bazaars for compromised data.

Stolen information is incredibly valuable in this shadowy ecosystem. From streaming service logins to financial account credentials, threat actors peddle a variety of digital goods. But why is there such a demand? The answer lies in the sheer usability of this data — for unauthorized access, fraud, identity theft, or even blackmail.

Which Sectors Are Being Targeted the Most?

Recent activity on underground forums reveals a worrying trend: threat actors are targeting multiple industries. The most affected sectors include digital services, cloud storage platforms, and financial services, reflecting a shift in focus towards companies that hold valuable user data and offer high resale value.

1. Digital Services and Streaming Platforms:

  • Who’s at Risk? Companies like Netflix and Disney+ are prime targets. Their popularity and the fact that millions of users are willing to pay for premium content make them attractive for hackers.
  • What’s Being Sold? Compromised accounts are often shared or sold with details like session cookies, making it easy for buyers to bypass login security. This enables users to enjoy premium services without the account owner’s knowledge.
  • Why It Matters: Compromised accounts are often resold or shared for free, undermining these companies’ revenue models. For example, a Netflix account that allows multiple streams can be used by multiple individuals without the company’s knowledge.

2. Cloud Storage and File Hosting:

  • Who’s at Risk? Platforms like Mega.nz and Google Drive are frequently targeted.
  • What’s Being Sold? Access to cloud storage accounts can potentially contain sensitive personal files or proprietary business data.
  • Why It Matters: Access to these accounts can be devastating. Personal data may be exposed, business information can be leaked, and in the worst cases, this access can be leveraged for ransom or further exploitation.

3. Financial Services:

  • Who’s at Risk? PayPal and other online banking services remain high-value targets.
  • What’s Being Sold? Financial account credentials, often including transaction history and linked bank details, are sold for quick financial gain.
  • Why It Matters: Once compromised, these accounts can be used for fraudulent purchases, laundering money, or draining linked bank accounts.

4. Government and Educational Institutions:

  • Who’s at Risk? Certain threads also reveal a focus on educational and governmental institutions, often in specific regions. These breaches can lead to the exposure of sensitive or classified information and may be driven by politically motivated actors.
  • Why It Matters: Database access to regional entities such as educational systems and government bodies can spark interest, potentially signaling politically motivated targeting or the pursuit of classified information for espionage purposes.

A Growing Market: Why is Stolen Data So Valuable?

Data is the new oil — it’s valuable, in-demand, and fuels an entire underground economy. But what makes stolen data so enticing for cybercriminals?

  1. Ease of Access and Use:
    1. Many compromised accounts come with details like session cookies, allowing threat actors to bypass multi-factor authentication and other security measures effortlessly. This makes it easy to log in without the hassle of entering passwords or passing security checks.
  2. High Resale Value:
    1. Digital accounts, particularly for streaming services, can be resold for a fraction of the original subscription cost. Similarly, cloud storage accounts are valued for the data they contain, making them an attractive purchase.
  3. Potential for Further Exploitation:
    1. Some threat actors aren’t just looking to sell; they’re seeking to exploit. Access to cloud storage or email accounts can serve as an entry point for more targeted attacks, such as spear-phishing campaigns, business email compromise (BEC), or even corporate espionage.

Sophistication Levels: From Novices to Experts

Not all cybercriminals are created equal. The dark web is home to a diverse group of actors, each with varying levels of sophistication. Understanding these levels helps in identifying the potential impact of their activities:

1. Newbies:

  • Profile: Typically engage in low-risk activities such as trading basic credentials (e.g., single account login details for streaming services).
  • Activities: Selling or sharing low-value accounts for platforms like Netflix and Hulu.
  • Risk: Minimal, as these actors lack the skills to perform more complex attacks. However, their activities can still lead to widespread account sharing.

2. Intermediate Threat Actors:

  • Profile: Have the capability to conduct more sophisticated breaches, such as accessing cloud storage services or hijacking VPN accounts.
  • Activities: Frequent discussions around financial account credentials or access to cloud storage with potential sensitive information.
  • Risk: Moderate to high, as these actors can exploit compromised data for financial gain or to access deeper networks.

3. Advanced Threat Actors:

  • Profile: Possess deep technical expertise and may even carry out targeted attacks on specific industries or regions.
  • Activities: Breaching government or educational systems, reflecting interest in sensitive or classified data.
  • Risk: Very high, as these actors are capable of executing large-scale data breaches, espionage, or infrastructure disruption.

The Dark Web’s Pulse: Measuring Community Interest

The number of replies and discussions around specific types of accounts serves as a strong indicator of the community’s interest and perceived value of the stolen data. The vibrant discussions around cloud storage platforms and digital services suggest that these sectors remain high-priority targets.

The rapid growth in interest within hours of posting reflects the increasing demand for certain types of data. For businesses, this means staying vigilant and being aware of the value cybercriminals place on different types of data assets.

Conclusion: A Threat That’s Here to Stay

The use of compromised data by cybercriminals to target companies is not a passing trend — it’s a growing, complex issue that demands attention. From digital services and cloud storage to financial and governmental sectors, no industry is immune. The sophistication levels of threat actors continue to rise, and the vibrant underground markets provide an easy way for them to exchange and monetize this data.

For companies, this means investing more in security, training employees to recognize potential threats, and staying one step ahead by monitoring these underground forums for early warnings. The fight against cybercrime is ongoing, and understanding how threat actors operate is the first step in protecting our digital assets.

By shedding light on these dark activities, we hope to raise awareness and help companies build stronger defenses against the ever-evolving threat of compromised data.

Leveraging Infostealers to Breach Companies: A Cybersecurity Intelligence Perspective

Alberto Casares on September 16, 2024

Infostealers are specialized malware designed to extract sensitive data from infected systems. They operate in the background, collecting login credentials, browser histories, and cookies, often without detection. Deployed through phishing emails or malicious websites, infostealers are a growing favorite among cybercriminals due to their low risk of detection and the high-value data they yield.

Unlike more overt forms of cyberattacks like ransomware, infostealers are subtle and continuous. The stolen information is often sold in bulk on dark web marketplaces or used to launch further attacks, such as gaining access to company networks or committing financial fraud. The sophistication of these tools has grown, making them one of the most effective methods for threat actors to compromise corporate environments.

Why Infostealers Are Effective Against Companies

Infostealers are attractive to threat actors for several reasons:

  1. Low Detection Rates: Infostealers are designed to evade detection by traditional security measures such as antivirus software. Once deployed, they blend seamlessly into legitimate system processes, making it challenging for conventional security solutions to recognize or remove them. This stealth allows them to operate undetected for extended periods, gathering critical data.
  • Targeting High-Value Data: Infostealers are capable of extracting a wide range of sensitive information, including passwords, session cookies (which can be used to bypass multi-factor authentication), financial records, and proprietary business data. This stolen data is often sold on dark web marketplaces or used for extortion, leading to significant financial and reputational damage.
  • Wide Availability and Accessibility: Infostealers are readily available for purchase on dark web forums, frequently offered as part of malware-as-a-service (MaaS) platforms. This makes them accessible even to less experienced cybercriminals, lowering the barrier to entry for launching sophisticated attacks. The ease of access and customization further amplifies their appeal to threat actors across the cybercriminal ecosystem.

Top Threat Actors Leveraging Infostealers

We have seen that many cybercriminals are actively using infostealers data as a preferred method for infiltrating organizations. These groups have leveraged infostealers to breach companies, leading to extensive financial and reputational damage. Below are a number of threat actors that stand out for their sophisticated use of these tools:

  • USDoD: This threat actor has carried out high-profile attacks, including the breach of Airbus by exploiting compromised credentials from a Turkish Airlines employee. This attack underscores the significant risk that infostealers pose to supply chains, allowing hackers to penetrate companies through vulnerable third-party partners​.
  • Sp1d3rHunters: Known for exploiting Snowflake accounts, Sp1d3rHunters has executed breaches against major companies such as Ticketmaster and AT&T, exfiltrating sensitive data such as customer information and event tickets. Their operations demonstrate how infostealer logs can be used to gain access to cloud services and wreak havoc​.
  • IntelBroker: This notorious threat actor has breached both government and private sector entities, targeting organizations such as Apple, Zscaler, and Microsoft. By using Infostealer-collected credentials, IntelBroker has facilitated attacks on critical infrastructure and sold access to compromised systems on dark web forums, further intensifying the risk to companies​.
  • Andariel (North Korea): Part of the Lazarus Group, Andariel is a North Korean state-sponsored Advanced Persistent Threat (APT) actor. This group is known for using infostealers, alongside other tools like keyloggers and remote access trojans (RATs), to target sectors such as military, nuclear, and manufacturing. Andariel’s strategy of using Infostealers to gather intelligence and financial data is a key part of their cyber operations​.
  • Lapsus$: Emerging in 2021, Lapsus$ has quickly gained a reputation for its high-profile breaches of companies like NVIDIA, Samsung, and Vodafone. Lapsus$ utilizes info stealers to harvest login credentials, payment information, and proprietary business data. In a notable attack, Lapsus$ breached Electronic Arts (EA), stealing source code for popular games like FIFA. The group’s aggressive tactics have caused widespread disruption in the tech and financial sectors​.

These groups’ sophisticated use of infostealers illustrates why businesses must adopt more advanced detection and monitoring systems to protect against this growing threat.

How Companies Can Defend Against Infostealers

While info stealers present a complex threat, companies can adopt several key strategies to mitigate the risks and minimize the impact of such attacks:

  • Analyze Exposed Data for Risk Mitigation: After a suspected infostealer attack, companies must conduct thorough analyses of the stolen data to assess the potential risks. This includes examining session cookies that could be hijacked to bypass multi-factor authentication (MFA), as well as personal credentials that may be used to impersonate employees or escalate privileges within the organization. Proactively identifying and addressing these risks can help prevent follow-up attacks or unauthorized access.
  • Strengthen Authentication Practices: While MFA is an essential safeguard, it is not foolproof, especially if session cookies are compromised. Companies should implement adaptive MFA, which monitors for anomalies in login attempts (such as unusual locations or devices) to prevent attackers from using stolen credentials. Additionally, frequent reauthentication can help disrupt the use of stolen session tokens.
  • Monitor for Unusual Access Patterns: Regularly reviewing access logs and monitoring for anomalous login attempts—such as multiple failed attempts, logins from unexpected locations, or odd behavior patterns—can help detect infostealer activity early. Endpoint Detection and Response (EDR) systems can play a key role in identifying and mitigating the effects of infostealers by flagging unusual data access or exfiltration activities.
  • Educate Employees on Phishing and Cyber Hygiene: Many infostealers are deployed through phishing attacks or malicious links. Regularly training employees to recognize suspicious emails, websites, and attachments can significantly reduce the likelihood of an initial infection. Implementing phishing simulations and real-time feedback can help maintain employee vigilance.
Constella Web Logo white e1703116556868

Constella.ai is the global leader in AI-driven identity risk and deep and dark web intelligence for such applications as identity theft, insider risk, synthetic identity fraud detection (Advanced KYE/KYB), and deep OSINT investigations.

With the world’s largest breach database, containing over one trillion data attributes in 125+ countries and over 53 languages, Constella empowers leading organizations across the globe to monitor and secure critical data through unparalleled visibility and actionable insights. 

Linkedin

API Integrations

Identity Monitoring

Deep OSINT Investigations

Identity Fraud Detection

Digital Risk Protection Platforms

Executive and Brand Digital Protection

OSINT Cybercrime Investigations

Threat Monitoring and Alerting

INSIGHTS

Blog

News and Events

Resources

USE CASES

Protect Your Users From Identity Theft

Protect Your Employees From Compromised Identities and Credentials

OSINT Investigations, Profiling, and Identity Mapping

External Digital Risk Protection for Organizations

Intelligence-Grade Monitoring and Data Collection

Fraud Detection Through Continuous Identity Risk Scoring

Subscribe To The Constella Newsletter

©2025 Constella Intelligence. All rights reserved.     Website Privacy Policy.     Terms of Use.     Datalake Privacy Notice.      Acceptable Use Policy.