There are several ways that attackers use compromised credentials
Bitdefender’s latest threat debrief for July 2022 has shown it’s a new breach or a recycled list, credential leaks remain a valid threat to organizations.
Credentials, which are user emails and corresponding passwords for a given site or application, are a cybercriminal’s favorite data type because they allow them to masquerade as a legitimate user on a system.
Since January, 62 per cent of Bitdefender’s MDR’s actionable intelligence alerts have been credential leaks. As we have seen within the last 2+ years, these attack vectors are industry and location agnostic, and they’re only increasing. Verizon’s Data Breach Investigations Report indicates that credentials made up 42 per cent of all data compromised by APTs in 2021, stating, “if you can access the asset directly over the internet simply by entering the credentials, so can the criminals”.
Credentials are sold and distributed on dark web sources and can be found in code repository pages that are easily accessible to anyone. But are you still at risk even if your company requires users to follow best practices, including password complexity, length, and a quarterly change? The answer is potentially. With many organizations using hybrid and remote working models, personal devices are a blind spot. The MDR Intelligence Cell has access to sources called Malware Logs which give insight into spyware devices. Spyware can affect personal computers as well as Apple and Android mobile devices. Attackers usually try to catch unsuspecting users logging into important financial or work resources, and personal devices may not have up-to-date security tools. Spyware steals login information and releases it on dark web markets within 30 days, which could mean they have current credentials.
There are several ways that attackers use compromised credentials. They may use combinations of usernames, emails, and exposed passwords to gain initial access through web portals or other remote accesses like RDP, VPN, or SSH through brute-forcing or credential stuffing attacks. Spammers and other social engineering attacks, such as phishing and spearphishing, might also use emails to attack corporate or personal emails that are likely active. More can be found here.
When it comes to credential leaks, some security measures that can be taken include the following:
1 Apply Multi-factor authentication
2 Awareness: Detection/crawling of dark web, closed sources, and paste sites to find leaked business credentials such as conducted by a cyber intelligence service included in Bitdefender MDR.
3 Business email addresses should only be used on business accounts.
4 Apply strong security practices when it comes to passwords.
5 Use a Password Manager
6 The password length is very important. Be sure to have 12-14 characters.
7 Including upper- and lower-case letters, numbers, and symbols adds complexity.
8 Length is more important than complexity, and points 6 & 7 combined make passwords even harder to crack.
9 For example, you can select a few random words, exchanging numbers and symbols for letters: Halloween Shoes Car becomes H@l10w3en$4oe&c@R.
10 Do not use the same password(s) across multiple accounts.
11 Update/change passwords at least every 90 days.
12 Whenever possible, enable password-less authentication, like OIDC (OpenID Connect), According to the report:
- Ransomware: After analysing the ransomware variants detected in June 2022, Bitdefender found 192 active ransomware families
◦ The most prevalent were WannaCry (42 per cent of detections), GandCrab (15 per cent), and Robin (13 per cent)
- Android trojans: Bitdefender telemetry throughout June 2022 also discovered multiple trojans targeting the Android mobile operating system
◦ The most prevalent were:
- DN (54 per cent) – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.
- LC (10 per cent) – Malware that gathers sensitive information about a device (Device IDs, Subscriber IDs, MAC addresses) and sends them to a malicious C&C server. The C&C server responds by sending back a link to a payload which the malware downloads and executes.
- AYE (8 per cent) – Malware that tries to register as the default SMS application on the first run by requesting the consent of the user. If successful, it collects the user’s incoming and outgoing messages and forwards them to a Command & Control (C&C) server.
- Spoofed Domains: The research also uncovered trends in homograph attacks, where attackers abuse International Domain Names to create websites that have very similar URLs to popular sites.
- The most encountered websites being spoofed were com (23 per cent), facebook.com (21 per cent), and paypal.com (12 per cent).