Infostealers are getting bolder – and more ambitious.

Long focused on stealing human credentials – like usernames, passwords, cookies, session tokens, and autofill information – infostealers have expanded to target non-human identities. With the rise of cloud-native architectures, microservices, and automation, the number of non-human identities representing workloads, services, applications, and devices has surged to support these dynamic environments.

This rapid growth has made them an appealing target for attackers, underscoring the need to secure them as part of a resilient posture.

The Rise of Infostealers and the Non-Human Identity Risk

Infostealers are malicious software tools designed to infiltrate systems and exfiltrate sensitive data like credentials, secrets, or API keys. Often distributed through phishing attacks, compromised software packages, or as part of a malware-as-a-service (MaaS) model, infostealers lower the barriers to entry for cybercriminals.

Data-stealing malware has become a pervasive threat, increasing by sevenfold since 2020, with recent attacks exposing hundreds of millions of records across major companies. By harvesting credentials from various sources, these malware tools empower attackers to infiltrate organizations on an unprecedented scale.

Just this week, a massive breach affecting nearly 57 million accounts at retailers like Hot Topic, Torrid, and Box Lunch came to light. The compromise began with an infostealer infecting a device at a third-party provider, allowing a hacker known as “Satanic” to access sensitive customer data stored in the cloud.

While human credentials have traditionally been in the cross-hairs, the expanding attack surface driven by cloud and DevOps practices makes non-human identities an increasingly attractive target.

The consequences of compromised non-human identities are severe. When an infostealer harvests API keys, certificates, or other authentication tokens used by applications and services, attackers can gain privileged access, move laterally within environments, or even disrupt critical business operations. 

CISOs and security architects must implement robust identity and access management (IAM) practices for workloads, emphasizing robust identity verification, secure credential management, and adherence to Zero Trust principles.

Strengthening Identity Verification for Workloads

Effective identity verification for workloads ensures that each service, application, or container can reliably prove its identity before accessing sensitive resources. Traditional methods, such as static API keys or long-lived credentials, are easy targets for infostealers and can be exploited without human intervention. Here’s how organizations can enhance their workload identity verification strategies:

• Use Attestation Mechanisms: Attestation validates that a workload runs on a trusted platform and has not been tampered with. This may involve technologies such as AWS instance identity documents, Kubernetes service accounts, or other cloud-specific security features. Organizations reduce the risk of unauthorized access by ensuring that only verified workloads access sensitive data.