Drawing the RedLine - Insider Threats in Cybersecurity

This blog was originally published by LogicHub here.

Written by Tessa Mishoe, LogicHub.

RedLine Password Theft Malware

The RedLine password theft malware is a hot topic this month with Microsoft’s employee compromise. Though Microsoft didn’t offer many officially released details on what occurred, we can examine how RedLine works to gain an understanding of what may have possibly occurred.

Passwords: An Easy Target

Let’s not mince words: passwords are difficult for most organizations to manage. Despite the ready availability of password management software, deployment and strategic management of passwords is difficult as your employment numbers skyrocket. It is for this reason that attackers enjoy targeting passwords: it’s much easier to walk directly through the front door if it’s a route available to you. Even then, a less flashy method of obtaining access exists directly through the users.

What Is an Insider Threat?

Insider threats are some of the most dangerous and effective threats, primarily because they cannot be eliminated as risks. They exist within the target network, typically as users that have current access to resources within the network.

A common misrepresentation of the insider threat is of a malicious user, such as a disgruntled employee. Though this is a type of insider threat, it is not the only one: even the most well-meaning and careful of users (including security staff!) can become insider threats. While attack vectors are typically seen as unpatched servers or vulnerable applications, insider threats are a very common attack vector.

RedLine Malware-as-a-Service

RedLine is a malware service available for purchase on underground forums that specifically targets the theft of sensitive information: passwords, credit cards, execution environment data, computer name, installed software, and more recently, cryptocurrency wallets and related files. The first mention of this malware appears to be in early 2020, when multiple phishing campaigns cast a wide net over thousands of users, offering RedLine en masse. The original advertisement to hopeful customers, retrieved from one of these forums and translated from Russian:

Collects from browsers:

• Login and passwords
• Cookies
• Autocomplete fields
• Credit cards

Supported browsers:

• All browsers based on Chromium (even latest version of Chrome)
• All Gecko-based browsers (Mozilla, etc.)
• Data collection from FTP clients, IM clients
• File-grabber customizable by Path, Extension, Search-in-subfolders (can be configured for the necessary cold wallets, Steam, etc.)
• Settings by country. Setting up a blacklist of countries where the build will not work
• Settings for anti-duplicate logs in the panel
• Collects information about the victim's system: IP, country, city, current username, HWID, keyboard layout, screenshot, screen resolution, operating system, UAC Settings, is the current build running with administrator privileges, User-Agent, information about PC hardware (video cards, processors), installed antiviruses

Performing tasks:

• Download - download a file from link to the specified path
• RunPE - injection of a 32-bit file downloaded from link into another file
• DownloadAndEx - download a file from link to the specified path with subsequent launch
• OpenLink - open a link in the default browser

Seen in attacks against healthcare and manufacturing agencies, RedLine started with heavy-hitter industries and only got worse as more users purchased it. Indicators of compromise burst in numbers, standing at a little over 24,000 known at the time of this writing.

Now that we know how RedLine got its start, we can talk about why it’s important to maintain familiarity with it.

The Compromises

In a blog post published on March 22nd, 2022, Microsoft confirmed that one of their user accounts had been compromised by the Lapsus$ (also known as DEV-0537)threat actor, though they claimed that the information accessed was limited and that “no customer code or data was involved”. The next day, Lapsus$ posted screenshots of Microsoft internal source code repositories, though Microsoft also stated that they do not consider the release of source code to be a condition for elevation of risk.

Also on March 22nd, Okta confirmed that the RedLine malware attack they faced from Lapsus$ about two months prior may have compromised over 366 of their corporate customers. Though the Lapsus$ group only received limited access to those specific customers through the account that they compromised, this attack indicates how effective access to even a single account can be. Also notable: the compromised user was a customer support engineer from a contracted third party (Sitel).

With this in mind, remember that Lapsus$ does not always use RedLine to steal data. Their favorite tactics, techniques, and procedures include all manner of credential acquisition, from purchasing the credentials outright on underground forums to recruiting insiders from companies directly.


This being said, using RedLine in combination with some of these tactics would not be surprising. An attacker could pivot into a higher level account using social engineering or, as the Microsoft advisory suggests, ‘(set) an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access’. It’s also equally likely that one of the less ‘exciting’ (but equally effective) methods of takeover occurred.

Insider Threats Via Other Means

In their blog, the Microsoft team confirms that one of the primary methods used by Lapsus$ is recruitment of active users within the target network, but malicious insiders are not the only type of insider threat. Average users are valuable targets to groups like Lapsus$ for their access and may face things like 2FA spamming (in which an attacker sends a large amount of requests to a user’s 2FA method, hoping that they will intentionally or unintentionally provide access) or social engineering (something that may deliver RedLine or other credential theft malware).

As seen in Okta’s compromise, the takeover of a third-party account caused the breach. Unfortunately, even the strictest of measures towards users within a company may not end up preventing all attacks if contracted companies are not carefully audited for the same security measures.

Recruiting Employees to Gain Insider Access

Recruiting employees is becoming an increasingly popular method for takeover. The Tesla insider threat case and the insider threats seen in SIM-swapping techniques have rocketed the idea of malicious insider threats out into the open. As desperation, bribery, and employee privilege mismanagement increase, insider threats will probably see a strong upward trend. As with most malicious activities, the promise of monetary gain may only draw more attention from both targeted organizations and targeted employees.

How to Mitigate Insider Threats

Most of cybersecurity’s tribulations have a patchwork solution to cover all parts of a problem, and insider threats are no exception. Through a combination of technical and procedural solutions, most of the issues caused by insider threats can be mitigated:

Defense Against Phishing

• Regular employee training. Users should receive regular social engineering training about what to look for in phishing emails and messages.
• Email filtering. Email filtering solutions that detect unusual file attachments extensions and concerning senders are extremely helpful in stopping phishing attempts before they ever reach the user.
• File hash checks and regular machine audits can stop malicious files from being delivered to the user by looking for reputation-based data. This may not stop all items, but it will prevent most attempts from well-known IOCs.

Defense Against Malicious Insiders

• Deactivate inactive/terminated employees immediately upon their departure from the organization. Disgruntled employees that have their previous access can wreak absolute havoc upon a network.
• Limit user privileges only to the most necessary access for employees. This is always best practice: no one should ever have more access than they need, and the access requisition process should be carefully documented.
• Set up monitoring for employee activities in concerning applications. This includes monitoring for exfiltration of certain files and an excess of unusual activity outside of the baseline developed for the user. Special focus should also be placed on inactive employees.

Defense Against Malicious Insiders

• Deactivate inactive/terminated employees immediately upon their departure from the organization. Disgruntled employees that have their previous access can wreak absolute havoc upon a network.
• Limit user privileges only to the most necessary access for employees. This is always best practice: no one should ever have more access than they need, and the access requisition process should be carefully documented.
• Set up monitoring for employee activities in concerning applications. This includes monitoring for exfiltration of certain files and an excess of unusual activity outside of the baseline developed for the user. Special focus should also be placed on inactive employees.

Defense Against RedLine and Similar Malware

• Disable the native password vault built into the deployed browser of choice across all user endpoints. This can be done via group policy for most popular browsers.
• Defenses against phishing and social engineering (like the ones listed above) help to prevent the spread of malware like RedLine.
• Having passwords behind another layer of security, like in a password vault with multi-factor authentication, reduces the likelihood of them being easily visible even when a machine is compromised.
• Block download of concerning applications and access to suspicious websites.

Defense Against SIM-Swapping

• Use token authentication through an authenticator application. Avoiding the use of SMS tokens altogether makes SIM-swapping less problematic towards other applications. Some organizations may find a physical key, like a YubiKey, to be a helpful solution.
• Only allow pre-authorized devices for sensitive applications. Monitoring solutions should also alert if a device outside of policy attempts to access a sensitive application.
• For provisioned mobile devices, require that a pin be entered with the carrier to transfer phone numbers.

As with most attack vectors, an effective monitoring solution aids in detection and response against insider threats.