Full Report
Check Point Research has found over 10 million stolen credentials associated with EMEA organizations exposed on cybercrime markets
Analysis Summary
# Incident Report: Surge in Infostealer Attacks Targeting EMEA Organizations
## Executive Summary
Organizations in the Europe, Middle East, and Africa (EMEA) region experienced a significant 58% surge in infostealer attacks over the past year, according to a Check Point report released at CPX 2025. These attacks primarily rely on phishing and focus on stealing credentials and session tokens, which are then sold on underground markets to facilitate further breaches, including ransomware and financial fraud. Response measures involve adapting defenses against increasingly agile adversaries who leverage stolen data to bypass multi-factor authentication (MFA).
## Incident Details
- **Discovery Date:** February 4, 2025 (Date of Report Release)
- **Incident Date:** Over the past year (leading up to February 2025)
- **Affected Organization:** Organizations across the EMEA region (Specific organizations not detailed)
- **Sector:** Education and Research (most attacked sector in EMEA), Communications, Military, Healthcare, Retail and Wholesale.
- **Geography:** Europe, Middle East, and Africa (EMEA), with African countries like Ethiopia, Uganda, Angola, and Ghana seeing the highest attack volumes.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout the report period, peaking in the 12 months prior to Feb 2025.
- **Vector:** Phishing was the top vector, responsible for delivering 62% of malicious files in the last 30 days leading up to the report.
- **Details:** Attackers deploy infostealers like AgentTesla, Lumma Stealer, and FormBook via malicious emails to harvest credentials.
### Lateral Movement
- **Details:** Stolen credentials, particularly VPN credentials and authentication tokens, are used to gain access to the corporate network, enabling subsequent lateral movement. Session hijacking, made possible by stolen session tokens, is a primary technique used to bypass MFA.
### Data Exfiltration/Impact
- **Details:** Over 10 million stolen credentials associated with EMEA organizations were observed for sale in underground markets. The primary impact is the theft of sensitive corporate data (shifting ransomware focus from encryption only) and the potential for session hijacking leading to corporate breaches.
### Detection & Response
- **How it was discovered:** Through analysis compiled in Check Point's latest *EMEA Cyber Threat Intelligence* report.
- **Response actions taken:** Not explicitly detailed, but the report highlights the need for defenders to learn from attackers' agility and adapt defenses, especially concerning MFA bypasses.
## Attack Methodology
- **Initial Access:** Phishing (62% of malicious files delivered via email).
- **Persistence:** Implied through the use of stolen session tokens to maintain access, enabling session hijacking to bypass MFA.
- **Privilege Escalation:** Not explicitly detailed, but likely achieved via exploiting stolen administrative credentials or compromised tokens.
- **Defense Evasion:** Use of session hijacking as a primary technique to bypass established MFA controls.
- **Credential Access:** Infostealer malware (AgentTesla, Lumma Stealer, FormBook) specifically targets VPN credentials and authentication tokens.
- **Discovery:** Standard post-access reconnaissance within the compromised network (implied).
- **Lateral Movement:** Utilizing stolen credentials and session tokens to move across the environment.
- **Collection:** Gathering sensitive corporate data and authentication credentials.
- **Exfiltration:** Data is sold on underground cybercrime markets, fueling subsequent attacks.
- **Impact:** Corporate breaches, ransomware deployment (as a secondary threat fueled by stolen access), and financial fraud.
## Impact Assessment
- **Financial:** Costs related to remediation, potential ransom demands (if ransomware is deployed post-breach), and general operational disruption. (No specific figures provided).
- **Data Breach:** Over 10 million stolen credentials observed for sale related to EMEA organizations. Data extortion is confirmed as the primary focus for ransomware actors over pure encryption.
- **Operational:** Business disruption resulting from breaches fueled by stolen access and session hijacking.
- **Reputational:** Damage due to the public confirmation of credential theft and subsequent attacks.
## Indicators of Compromise
*(Note: Specific IPs/URLs are defanged based on report content limitations.)*
- **Network indicators:** N/A (None specified, only malware families mentioned)
- **File indicators:** AgentTesla, Lumma Stealer, FormBook (malware identified). FakeUpdates (SocGholish) identified as the top malware overall in the region.
- **Behavioral indicators:** Successful session hijacking; high volume of credential exfiltration attempts post-phishing delivery.
## Response Actions
- **Containment measures:** (Inferred based on standard practice for credential theft: Disabling compromised accounts, blocking identified malware hashes/C2 traffic for AgentTesla, Lumma, FormBook).
- **Eradication steps:** (Inferred: Cleaning endpoints infected by infostealers; invalidating all tokens and passwords belonging to affected users).
- **Recovery actions:** (Inferred: Resetting MFA configurations globally if session hijacking is rampant; implementing stronger monitoring).
## Lessons Learned
- **Key takeaways:** Adversaries are highly agile, leveraging underground marketplaces where stolen access (credentials/tokens) is the primary commodity. Infostealers are highly effective, especially when coupled with phishing campaigns.
- **What could have been done better:** Organizations need to prioritize defenses against credential theft and session hijacking, as these methods effectively weaken MFA protections.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement mandatory, strict monitoring for session token usage and immediate invalidation upon suspicious activity.
2. Enhance continuous user training to recognize sophisticated phishing attempts, the top initial access vector.
3. Review and strengthen MFA deployments, favoring phishing-resistant methods over traditional, token-based MFA vulnerable to session hijacking.
4. Deploy advanced endpoint detection and response (EDR) capable of catching infostealer execution before credential harvesting is complete.