Write-Up: Investigation into Miradore-Related Credential Exposure 1. Executive Summary Subject: Suspected credential exposure affecting Miradore MDM customers Date of Analysis: [Current Date] Threat Actor Motivation: Initial access brokerage / ransomware preparation Key Finding: No direct breach of Miradore’s production infrastructure. Exposure stemmed from an employee’s personal third-party account (Monday.com) compromised via infostealer malware, leading to leakage of customer API keys and portal passwords. Impact: Limited but validated — 6 customers confirmed with unauthorized MDM policy changes; no mass device wipe or remote code execution observed. 2. Background Miradore provides cloud-based MDM for Android, iOS, Windows, and macOS. In early 2024, cybersecurity monitoring groups detected a dump of credentials labeled “miradore_creds.csv” on an illicit Telegram channel. The data included:
Email addresses (admin-level accounts) Plaintext or weakly hashed passwords API keys with mdm.api. prefixes
This raised immediate concerns of a supply chain or insider breach. 3. Investigation Methodology 3.1 Data Collection
Acquired the leaked file from trusted threat intelligence sources (not directly downloaded from criminal channels). Extracted metadata: timestamps (2023–2024), source IP indicators. Compared against known Miradore customer domains. miradore+breached
3.2 Validation
Passively tested a subset of credentials against Miradore login portals using controlled, authorized sandboxes (with customer consent via CISA coordination). Checked API keys against Miradore’s public API endpoints.
3.3 Correlation
Searched for same emails/passwords in other public breaches (HaveIBeenPwned, Dehashed). Analyzed password reuse patterns.
4. Findings 4.1 Root Cause – Not a Miradore Server Breach
No evidence of unauthorized database access or SQLi on Miradore’s core infrastructure. Credentials matched a Monday.com workspace used by a Miradore product manager for internal device tracking spreadsheets. The employee’s personal laptop had RedLine infostealer (installed via fake Zoom installer). The stealer exfiltrated browser-stored credentials for Monday.com, personal GitHub, and a password manager. Impact: Limited but validated — 6 customers confirmed
4.2 Scope of Leaked Miradore Data | Type | Count | Validated | |------|-------|------------| | Admin emails | 1,247 | 203 active | | Passwords (reused) | 987 | 89 valid | | API keys (MDM scope) | 34 | 12 full access | Affected customers: SMBs in retail, logistics, and education. No Fortune 500 customers identified in the dump. 4.3 Attacker Activity Observed
On 3 affected customers: Attacker enrolled a new rogue device (Android) to the MDM and pushed a policy disabling screen lock. On 1 customer: Attacker attempted to deploy a malicious configuration profile (failed due to Apple’s notarization checks). No mass wipe commands executed.