Executive Summary
In 2025, cybercriminals escalated their use of infostealer malware, leading to the theft of 1.8 billion credentials—a staggering 800% increase compared to the previous year. These infostealers infiltrated 5.8 million devices, extracting sensitive data such as login credentials, cookies, and financial information. The stolen credentials were subsequently sold on dark web marketplaces, facilitating further cyberattacks including ransomware and data breaches. Notably, major organizations like Deloitte, KPMG, and Samsung fell victim to these attacks due to inadequate enforcement of multi-factor authentication (MFA), underscoring the critical need for robust security measures. (infosecurity-magazine.com)
This surge in credential theft highlights a significant shift in cybercriminal tactics, emphasizing the exploitation of identity-based vulnerabilities. The convergence of infostealers and ransomware has created rapid extortion chains, where stolen credentials are quickly leveraged to deploy ransomware within organizations. This trend underscores the urgency for businesses to implement comprehensive security strategies, including the enforcement of MFA, regular credential monitoring, and employee education on phishing and malware threats. (cyfirma.com)
Why This Matters Now
The dramatic rise in infostealer-driven credential theft poses an immediate threat to organizations worldwide. With cybercriminals increasingly targeting identity-based vulnerabilities, businesses must urgently adopt robust security measures such as multi-factor authentication, regular credential monitoring, and comprehensive employee training to mitigate the risk of data breaches and ransomware attacks.
Attack Path Analysis
An infostealer malware was delivered to the victim's system through a phishing email, leading to the theft of credentials and session data. The attacker used these credentials to escalate privileges and move laterally within the network, establishing command and control channels to exfiltrate sensitive data. The attack culminated in significant data loss and potential operational disruption.
Kill Chain Progression
Initial Compromise
Description
The attacker delivered an infostealer malware to the victim's system via a phishing email, exploiting the user's trust to execute the malicious payload.
MITRE ATT&CK® Techniques
Phishing
Drive-by Compromise
Command and Scripting Interpreter
Credentials from Password Stores
Steal Web Session Cookie
Obfuscated Files or Information
Application Layer Protocol
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities by installing applicable security patches.
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Implement strong authentication mechanisms
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity risk-management measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Infostealer credential reuse threatens banking authentication systems, requiring enhanced zero trust segmentation and egress security to prevent unauthorized account access and data exfiltration.
Health Care / Life Sciences
Stolen healthcare credentials enable HIPAA-regulated data breaches through lateral movement, demanding encrypted traffic controls and anomaly detection to protect patient information systems.
Information Technology/IT
IT infrastructure faces amplified risk as stolen admin credentials facilitate privilege escalation and command control, necessitating multicloud visibility and Kubernetes security enforcement.
Government Administration
Government systems require immediate threat detection capabilities against infostealer-enabled identity compromise, focusing on secure hybrid connectivity and compliance with NIST frameworks.
Sources
- How infostealers turn stolen credentials into real identitieshttps://www.bleepingcomputer.com/news/security/how-infostealers-turn-stolen-credentials-into-real-identities/Verified
- Password Warning As 2.1 Billion Credentials Hit By Infostealer Attackshttps://www.forbes.com/sites/daveywinder/2025/03/18/password-warning-as-21-billion-credentials-hit-by-infostealer-attacks/Verified
- Infostealers fueled cyberattacks and snagged 2.1B credentials last yearhttps://cyberscoop.com/infostealers-cybercrime-surged-2024-flashpoint/Verified
- Infostealer Malware Detected Riskhttps://help.upguard.com/en/infostealer-malware-detected-riskVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial malware delivery, it could limit the malware's ability to communicate with other systems, reducing the potential for further compromise.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely constrain the attacker's ability to access sensitive systems, even with stolen credentials, by enforcing strict access controls.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely restrict the attacker's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and disrupt unauthorized command and control channels by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely prevent unauthorized data exfiltration by controlling outbound traffic and enforcing strict egress policies.
While Aviatrix CNSF may not fully prevent data loss, it could likely reduce the scope of impact by limiting the attacker's access and movement within the network.
Impact at a Glance
Affected Business Functions
- Identity and Access Management
- Customer Support Services
- Internal Communications
- Supply Chain Management
Estimated downtime: 7 days
Estimated loss: $5,000,000
Stolen credentials leading to unauthorized access to sensitive customer and corporate data, including PII and proprietary information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit access to critical assets.
- • Enforce Multi-Factor Authentication (MFA) to prevent unauthorized access using stolen credentials.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities in real-time.
- • Conduct regular security assessments and user training to mitigate the risk of phishing attacks and credential theft.
