Listen to this Post
According to the Office of the Australian Information Commissioner, the Medibank breach was a downstream effect of an infostealer infection. Here’s how it unfolded:
- Before 7 August 2022: An IT contractor saved Medibank admin credentials in a browser profile, syncing them to a personal device.
- Around 7 August: Infostealer malware on the personal device captured the credentials.
- By 23 August: The attacker used the stolen credentials to access Medibank’s VPN, which lacked MFA.
- Over the next 6 weeks: The attacker exfiltrated 520GB of sensitive data, while security alerts went untriaged.
- Between 19 October and 1 December: The stolen data was published.
This breach highlights how commodity malware—not just ransomware or nation-state attacks—can lead to massive data leaks.
🔗 Reference: OAIC Medibank Breach Timeline
You Should Know: How to Detect and Prevent Infostealer Infections
1. Detecting Infostealers on Windows
Infostealers like RedLine, Vidar, and Raccoon often leave traces in:
– Browser data (Chrome, Edge, Firefox)
– Credential storage (Windows Credential Manager, saved passwords)
– System logs
Commands to Check for Malware:
Check running processes for known infostealers
Get-Process | Where-Object { $_.ProcessName -match "redline|vidar|raccoon" }
Check browser credential storage locations
dir "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Login Data"
Scan for suspicious registry entries
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /s
Using Sysinternals Tools:
Download and run Autoruns to check for persistence .\Autoruns64.exe -accepteula -ct
2. Preventing Credential Theft
- Enable MFA everywhere (especially VPNs and admin portals).
- Disable browser password syncing for sensitive accounts.
- Use a password manager instead of browser storage.
Windows Hardening Commands:
Disable credential caching (prevents plaintext storage) reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v DisableDomainCreds /t REG_DWORD /d 1 /f Enable Windows Defender Credential Guard (Enterprise) Enable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-CredentialGuard"
3. Monitoring for Exfiltration
- Enable Windows Event Logging for suspicious activity:
Enable PowerShell script block logging reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f
-
Use Sigma rules to detect infostealer behavior:
title: Suspicious Browser Data Access description: Detects processes accessing browser login data detection: selection: Image|endswith:</p></li> <li>'\chrome.exe' </li> <li>'\firefox.exe' TargetFilename|contains: </li> <li>'\Login Data' </li> <li>'\cookies.sqlite'
What Undercode Say
The Medibank breach underscores how low-tech attacks (infostealers) can lead to high-impact breaches. Key takeaways:
1. Browser-saved passwords are a goldmine for attackers.
- MFA bypass is trivial if credentials are stolen.
3. Security alerts must be triaged immediately.
Linux & Windows Commands for Defense
Linux: Check for suspicious cron jobs (common post-infostealer persistence) crontab -l ls -la /etc/cron. Windows: Hunt for lateral movement net sessions Check active SMB sessions quser Check RDP sessions
Check for unusual network connections netstat -ano | findstr ESTABLISHED
Prediction: Infostealer infections will increase as attackers shift from ransomware to silent credential harvesting.
Expected Output:
- Detect infostealers early with process monitoring.
- Enforce MFA on all critical systems.
- Audit credential storage regularly.
- Monitor exfiltration attempts with network logs.
🔗 Further Reading:
References:
Reported By: Theonejvo Cybercriminals – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
