August 6, 2024
It’s a common story: weak or reused passwords find their way online, with damaging consequences for organization. Criminals increasingly deploy stolen credentials to gain initial access to user accounts, bringing new demands for security.
This had led to a booming market for stolen credentials and the initial access they can bring. The ENISA Threat Landscape 2023 report said there had been year-over-year growth in the Initial Access Broker (IAB) market, with credentials the prime goods for sale.
Stealer malware ‘commonly find their way to victim machines via social engineering, mostly phishing, some even via a paid distribution scheme relying on the Emotet and Qakbot botnets,’ ENISA wrote. ‘Other campaigns lure users into downloading seemingly legitimate software, for example via malvertising.
We expect that future social engineering campaigns to obtain credentials and install information stealers will further anticipate new defensive measures to protect the abuse of credentials.’
Stolen credentials are a bigger problem than ever
Challenges for organizations around stolen credentials are only getting bigger. The Verizon 2024 Data Breach Investigation Report (DBIR) found that attacks that involved the exploitation of vulnerabilities as the critical path to initiate a breach had increased by 180% compared to the previous year.
They found the use of stolen credentials to be the top initial action in breaches at 24%, just ahead of ransomware on 23%.
The threat is pervasive, with fraudsters using various means to steal credentials. One common ploy is to use malware to steal passwords and then sell them on the dark web, with such tools as Redline, Vidar, and Raccoon Stealer being popular choices.
The FBI has warned of cyber criminals using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware to steal login credentials.
Credentials can also be guessed through approaches like brute force attacks, where cybercriminals deploy tools that test password combinations continuously until they discover the right one.
This can involve a range of methods, from relatively simplistic trial and error approaches to dictionary attacks, which exploit users’ habits of choosing simple and easily remembered passwords by attempting all the words in a “dictionary” of common passwords.