Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Stolen Credentials. Show all posts

Rising Threat of Stolen Credentials and Initial Access Breaches

 

Weak or reused passwords continue to pose significant risks for organizations, as criminals increasingly exploit stolen credentials to access user accounts. This trend has fueled a thriving market for stolen credentials and the initial access they provide. The ENISA Threat Landscape 2023 report highlights a year-over-year growth in the Initial Access Broker (IAB) market, with credentials being the primary commodity for sale.

Stealer malware frequently infiltrates victim machines through social engineering tactics, primarily phishing, and sometimes through paid distribution schemes using the Emotet and Qakbot botnets. Other campaigns entice users to download seemingly legitimate software via malvertising.

ENISA anticipates that future social engineering campaigns will adapt to new defensive measures aimed at protecting credentials from abuse.

Increasing Challenges with Stolen Credentials
Organizations face growing challenges with stolen credentials. The Verizon 2024 Data Breach Investigation Report (DBIR) reveals a 180% increase in attacks exploiting vulnerabilities to initiate breaches compared to the previous year. Stolen credentials were the leading initial action in breaches, accounting for 24%, just ahead of ransomware at 23%.

Fraudsters employ various methods to steal credentials, including malware that steals passwords and sells them on the dark web. Popular tools for this purpose include Redline, Vidar, and Raccoon Stealer. The FBI has warned of cybercriminals using search engine advertisements to impersonate brands and direct users to malicious sites that host ransomware to steal login credentials.

Credentials can also be compromised through brute force attacks, where cybercriminals use tools to test password combinations until the correct one is found. These methods range from simple trial and error to more sophisticated dictionary attacks, exploiting common password choices.

Potential for Major Breaches
The Solarwinds attack, described by Microsoft Corp President Brad Smith as "the largest and most sophisticated attack the world has ever seen," exemplifies the potential danger of stolen credentials. A compromised SolarWinds password was discovered on a private Github repository, where an intern had set the password "solarwinds123" on an account with access to the company's update server.

Other notable examples include the Dropbox breach, which impacted millions of users. A Dropbox employee reused a password from a LinkedIn breach, where millions of passwords were accessed by thieves.

ENISA notes that while abusing valid accounts for initial access is not a new technique, it remains effective for cybercriminals. Misconfigured accounts and those with weak passwords are particularly vulnerable. Although multi-factor authentication (MFA) can prevent many attacks, it is not foolproof, with actors intercepting MFA codes and harassing users with push notifications.

ENISA expects credentials to remain a focal point for cybercrime actors despite technical protective measures, as these actors continually find ways around them.

Cybersecurity experts recognize the danger of stolen credentials and the necessity of strong security measures. However, complacency is not an option. The threat posed by stolen credentials is constantly evolving, necessitating ongoing adaptation.

Organizations must enforce the creation of strong passwords resistant to brute force attacks and other forms of exploitation. Specops Password Policy can help build robust password policies by:

  • Generating personalized dictionary lists to prevent the use of commonly used words within the company.
  • Providing immediate and interactive updates to users when changing passwords.
  • Restricting the use of usernames, display names, certain words, consecutive characters, incremental passwords, and repeating parts of previous passwords.
  • Applying these features to any GPO level, computer, individual user, or group within the organization.
  • Continuously scanning for and blocking over 4 billion compromised passwords, ensuring that breached passwords are found daily.
Increasing overall password security, enforcing good password hygiene, and eliminating weak passwords enhance the security of Active Directory environments and privileged accounts. Organizations must prepare their defenses by scanning for password vulnerabilities in Active Directory to detect weak and compromised passwords.

RingGo: Phone Parking Service Suffers Data Breach, Customer Data Stolen


UK-based pay-by-phone parking service – RingGo – has suffered a data breach, where information including partial credit card numbers of several of its customers has been leaked. 

The EasyPark-owned company informed that the data of at least 950 customers had been stolen by the hackers. The data included names, phone numbers, addresses, email addresses and parts of credit card numbers.

According to the company, the compromised information is “non-sensitive” and claims that “no combination of this stolen data can be used to perform payments.”

However, it has warned customers have been warned against phishing scams, where threat actors use stolen customer details to send them emails and text messages, that look convincing, in order to scam the target victims. 

While British customers were the least affected by the breach, data of thousands of Europe-based customers are feared to be compromised. It needs to be made clear as to who is behind the data breach. 

Easypark further informs that it was “reaching out to all affected customers.” Meanwhile, RingGo claims to be “UK’s number one parking app,” with over 19 million customers. 

Using the company's app, drivers pay for parking using their smartphones by providing information about their vehicle, like the license plate number, and payment information, like a credit or debit card.

The Information Commissioner's Office (ICO) in the UK and the corresponding European agency have received reports from Stockholm-based EasyPark, according to a Tuesday Guardian report.

According to a statement published on the company’s website, the attack first came to light on December 10: "The attack resulted in a breach of non-sensitive customer data."

“We deeply care about our customers and want to make sure you are fully informed about this incident […] Our security team, including external security experts, is working hard to ensure effective security and privacy measures are in place[…]We are deeply sorry this happened and will continue to work hard every day to earn your trust.”

Owned by private equity firms Vitruvian Partners and Verdane, the company has operations across 4,000 cities in 23 countries, encompassing most of western Europe, the US, and Australia. Since its founding in 2001, it has expanded via several acquisitions.  

AutoSpill Attack Steal Credentials from Android Password Managers


Security researchers from the International Institute of Information Technology (IIIT) in Hyderabad, India, have discovered a new vulnerability with some Android password managers in which some malicious apps may steal or capture users’ data credentials in WebView. 

The threat actors carry out the operation particularly when the password manager is trying to autofill login credentials. 

In a presentation at the Black Hat Europe security conference, the researchers revealed that the majority of Android password managers are susceptible to AutoSpill even in the absence of JavaScript injection. 

How AutoSpill Works

WebView is frequently used in Android apps to render web content, which includes login pages, within the app, rather than redirecting users to the main browser, which would be more challenging on small-screen devices. 

Android password managers automatically enter a user's account information when an app loads the login page for services like Apple, Facebook, Microsoft, or Google by utilizing the WebView component of the platform. 

According to the researchers, it is possible to exploit vulnerabilities in this process to obtain the auto-filled credentials on the app that is being invoked. 

The researchers added that the password managers on Androids will be more vulnerable to the attack if the JavaScript injections are enabled. 

One of the main causes of the issue regarding AutoSpill is Android’s inability to specify who is responsible for handling the auto-filled data securely, which leaves the data vulnerable to leakage or capture by the host app.

In an attack scenario, the user's credentials could be obtained by a rogue app presenting a login form without leaving any trace of the breach.

Impact and Patch Work

Using Android's autofill framework, the researchers tested AutoSpill against a number of password managers on Android 10, 11, and 12. They discovered that 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are vulnerable to assaults.

It was found that Google Smart Lock 13.30.8.26 and DashLane 6.2221.3 had different technical approaches for the autofill process, wherein they did not compromise data to the host app unless JavaScript injection was used.

The researchers submitted their recommendations for fixing the issue along with their results to the security team of Android and the affected software manufacturers. Their report was accepted as legitimate, however, no information regarding the plans for rectifying it was disclosed.  

The Infamous Cybercrime Marketplace Now Offers Pre-order Services for Stolen Credentials

 

In accordance with Secureworks, info stealer malware, which consists of code that infects devices without the user's knowledge and steals data, is still widely available for purchase through underground forums and marketplaces, with the volume of logs, or collections of stolen data, available for sale increasing at alarming rates. 

Between June 2021 and May 2023, the Russian market alone grew by 670%. “Infostealers are a natural choice for cybercriminals who are looking to rapidly gain access to businesses and then monetize that access,” said Don Smith, VP of threat research, Secureworks CTU. 

“They are readily available for purchase, and within as little as 60 seconds of installation on an infected computer will immediately generate a return on investment in the form of stolen credentials and other sensitive information. However, what has really changed the game, as far as info stealers are concerned, is improvements in the various ways that criminals use to trick users into installing them. That, coupled with the development of dedicated marketplaces to sell and purchase this stolen data, has really upped the ante,” added Smith. 

Researchers at Secureworks examined the most recent trends in the underground info stealer market, including how this sort of malware is growing more complex and harder to detect, offering a challenge to corporate network defenders. Among the key findings are:

The number of info stealer logs for sale on underground forums grows with time. The number of logs for sale on the Russian market alone surged by 150% in less than nine months, from two million on a single day in June 2022 to over five million on a single day in late February 2023.

The overall growth rate for the number of logs for sale on the Russian market was 670% over a roughly two-year period (measured on a single day in June 2021 and a single day in May 2023).

The Russian market continues to be the largest seller of info stealer logs. At the time of writing, Russian Market has five million logs for sale, which is around ten times more than its nearest competitor.t is well-known among Russian cybercriminals and is often utilized by threat actors globally. Recently, Russian Market has included logs from three new thieves, indicating that the site is adapting to the ever-changing e-crime scenario.

Raccoon, Vidar, and Redline remain the top three info stealer logs for sale. On a single day in February, the following logs, or data sets of stolen credentials, were for sale among these popular info stealers on the Russian Market:
  • The number of raccoons is 2,114,549.
  • Vidar: 1,816,800
  • The redline is 1,415,458.
The recent law enforcement effort against Genesis Market and Raid Forums has influenced the behavior of cybercriminals. Telegram has benefited from this, with more log buying and trading going to specialized Telegram channels for prominent stealers like RedLine, Anubis, SpiderMan, and Oski Stealer. Despite the arrests of several users and the removal of 11 domains affiliated with Genesis Market, the Tor site remains operating, with logs still for sale.

However, activity on the marketplace has nearly ceased, as criminals have begun debating the matter on underground forums, raising concerns about the platform's reliability. A rising market has evolved to address the demand for after-action solutions that aid with log parsing, a time-consuming and difficult operation that is often left to more experienced hackers.

As the number of info stealers and available logs grows, these tools are expected to become more popular and assist to decrease the entry barrier. The successful development and deployment of info stealers, like the overall cybercrime ecosystem, depends on individuals with diverse skills, jobs, and responsibilities. The growth of malware-as-a-service has encouraged developers to innovate in order to better their products and appeal to a broader spectrum of clients.

For example, Russian Market now allows customers to preorder stolen credentials for a certain organization, business, or program for a $1,000 deposit into the site's escrow mechanism. The pre-order service offers no guarantees but allows crooks to progress from opportunistic to targeted.

“What we are seeing is an entire underground economy and supporting infrastructure built around infostealers, making it not only possible but also potentially lucrative for relatively low skilled threat actors to get involved. Coordinated global action by law enforcement is having some impact, but cybercriminals are adept at reshaping their routes to market,” continued Smith.

“Ensuring that you implement multi-factor authentication to minimize the damage caused by the theft of credentials, being careful about who can install third-party software and where it is downloaded from, and implementing comprehensive monitoring across host, network and cloud are all key aspects of a successful defense against the threat of infostealers,” concluded Smith.

Phishing, compromised websites, malicious software downloads, and Google advertisements can all be used to install info stealers on a computer or device. Stolen credentials accounted for nearly one-tenth of the incident response engagements Secureworks was involved in 2022, and were the initial access vector (IAV) for more than a third (34%) of ransomware engagements from April 2022 to April 2023.

Proxies and Configurations Used for Credential Stuffing Attacks

 


About the attack

Threat actors are actively hacking home IP addresses to conceal credential stuffing attacks and boost their chances  of successful conduct, FBI alerts. 

Credential stuffing is a famous method of account hijacking where hackers use large lists of compromised login credentials combos and use them across various websites and apps aggressively to check if they're working. We all know that some users reuse same passwords, so the trick usually works. 

How are stolen credentials used?

Working credentials are then sold to others for early access. FBI said the config may include the website address to target, how to form the HTTP request, how to differentiate between a successful vs unsuccessful login attempt, whether proxies are needed, etc. 

In addition, cracking tutorial videos available via social media platforms and hacker forums make it relatively easy to learn how to crack accounts using credential stuffing and other techniques.

Leveraging proxies and configurations automates the process of attempting logins across various sites and facilitates exploitation of online accounts. 

Who are the victims?

In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts. 

The Australian Federal Police and FBI discovered two websites having more than 300,000 sets of credentials attained via credential stuffing. 

How many users affected?

The sites had more than 175,000 registered users and made around $400,000 in sales. But website admins can notice any malicious activity if they know what to look for. At this point comes the role of residential proxies. 

Cyber criminals may also target a company’s mobile applications as well as the website. Mobile applications, which often have weaker security protocols than traditional web applications, frequently permit a higher rate of login attempts, known as checks per minute (CPMs), facilitating faster account validation.

Experts believe that by breaching home routers or other connected tech, hackers can focus their attempts through benign looking IPs to evade network defenders.

Existing security protocols can't flag or restrict residential proxies as often as proxies linked to data centers. Along with combo lists, threat actors purchase 'configs' or configurations, and other tools on dark forums to increase the success rates. 

FBI Warns of Hackers Selling US College VPN Credentials on Underground Forums

 

Threat actors are advertising network credentials and virtual private network (VPN) access for colleges and universities based in the United States on underground and public criminal marketplaces. 

Last week, the Federal Bureau of Investigation (FBI) issued an advisory regarding usernames and passwords giving access to colleges and universities based in the U.S. that are put up for sale on Russian cybercriminal platforms. The price of stolen credentials varies between a few U.S. dollars to thousands. 

Hackers use several tactics such as ransomware and spear-phishing, to execute credential harvesting attacks and sell them on Russian hacking forums. The credentials allow hackers to launch brute-force attacks to infiltrate into victim accounts spanning different accounts, internet sites, and services. 

"If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations," the FBI warned. 

Last year in May, the agency said it identified more than 36,000 email and password combinations for email accounts ending in the ".edu" domain publicly available on an instant messaging platform posted by a group that specialized in the trafficking of stolen login credentials. 

According to Emsisoft threat analyst Brett Callow, 10 of the 13 attacks on colleges this year involved data exfiltration. Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas, Florida International University, and Stratford University are just a few of the schools impacted by ransomware this year. 

Security tips 

The FBI advises academic institutions to liaise with their local FBI Field Office and update their incident response and communication plans. Implementing brute-force protection, training sessions for students and faculty to identify phishing attempts, using strong, unique passwords, and multi-factor authentication are regular recommendations that are valid for all organizations. 

"Universities, especially, should be providing students and staff with training to spot convincing phishing emails and the steps to undertake when opening various attachments or emails. Students are an easy target because unlike in a work environment, they often lack the necessary understanding to spot these types of attacks," stated Steven Hope, CEO, and co-founder of password management firm Authlogics.