Preventing corporate credential theft

Victor Acin at Blueliv, an Outpost24 company, describes how corporate credential theft happens and provides advice on preventing this rising threat

 

Corporate credential theft is a highly targeted effort that makes companies credentials attractive to cyber criminals, particularly in the age of digital transformation, BYOD (Bring Your Own Device) and hybrid working.

 

Once an attacker gets access to stolen or compromised user credentials and passwords, they can sell the credentials on the cyber criminal black market or use them to compromise an organisation’s network, bypassing security measures to move laterally within the network and steal critical data while threatening the credibility and integrity of the institution.

 

This is a situation every enterprise wants to avoid as stolen credentials are dangerous and one of the greatest threats facing security and IT teams today, particularly as it takes little effort from a hacker to locate them and makes it an effective method to gain access for an attack.

 

This was demonstrated recently by cyber-security vendor Outpost24, discovering over 31,000 login credentials associated to the FTSE 100 currently on the dark web ready to be exploited. Indeed, three-quarters (75%) of these credentials are thought to have been stolen via conventional data breaches, while around a quarter were obtained via individually targeted malware infections.

 

Credential theft is becoming big business and prominent cyber crime groups, from Conti to REvil, are known for using stolen credentials to gain initial access to initiate their attacks. The reason being there is very little that can be done to identify and detect an intruder inside the system who is utilising recognised or trusted credentials.

 

A significant credential theft incident making the news headlines and causing significant damage was the 2021 Colonial Pipeline ransomware attack, which resulted in petrol shortages across the United States - this was a prime example of the dangers posed to enterprises from a single compromised password.

 

Credential theft methods

Cyber criminals steal credentials using a wide range of techniques, tactics and procedures. From blackmail to ransom, phishing, selling sensitive information to committing fraud, their end goal is usually to profit from their attack.

 

The market for compromised credentials is extremely broad with high potential. Many illegal activities for financial gain rely on obtaining credentials – or the keys – which open doors to organisations and their customers. These stolen credentials are then used to breach the wider organisation, and their partners, to steal sensitive information.

 

In fact, 81% of hacking-related breaches leverage either stolen or weak passwords. Even having all the security products in the world cannot protect an organisation if the criminals have the right “keys” to open the door.

Moreover, with the world of business constantly evolving and the pandemic escalating the problem through the adoption of new working practices.

 

Naturally, threat actors also evolved their methods. For instance, Ransomware-as-a-Service (RaaS) - where organisations develop malware, manage the infrastructure, collect the ransom and control the encryption keys – has boomed in recent years; these are ready-made services that are available online for malicious actors to purchase.

 

Initial Access Brokers are another common threat vector, and facilitate the access to an organisation, either using exploits or exploiting vulnerabilities. They also develop exploits that leverage vulnerabilities or sell compromised credentials to hackers.

 

Hackers will initiate their attacks by gathering sensitive information and can deploy common threats like malware, phishing, man-in-the-middle attacks, social engineering. Once these are filtered, reviewed, and evaluated, these stolen credentials are used for:

• Data breaches: leveraging corporate accounts and using these as the door opener to perpetrate serious intrusion.
• VIP Impersonation: Having certain information can allow a scammer to impersonate a corporate VIP on social media or via email to communicate something damaging or to conduct fraud.
• Account compromise & identity theft: Stealing customer information can result in stolen goods, credit or services as well as revealing personal information like home addresses.
• Financial Fraud: Gaining credentials can also help hackers execute fraudulent transactions with financial institutions.

If a hacker is successful in obtaining access to accounts, these credentials are often sold across underground forums and websites like the dark web, with prices starting at $1 and rising to hundreds of thousands - depending on the industry and the balance amount. For example, credentials to a social media account can be sold for $1.50, while bank account credentials that have a balance of $25,000 can fetch for over $500,000.

 

Interestingly, research has shown the majority (60%) of stolen credentials from the FTSE 100 came from three of the highest regulated industries – IT/telecoms (23%), energy and utility (22%) and finance (21%), while 81% of FTSE 100 companies had at least one compromised credential exposed on the dark web. Unfortunately, this clearly shows the scale of the problem at hand.

 

Protecting your organisation from credential theft

To best prevent credential theft, organisations must consider how a hacker would try to obtain these credentials to target and exploit your business including through your vulnerable applications. It’s important to take a proactive approach to locate weak areas exploitable by compromised credentials and could allow cyber criminals to gain access and move into your other system and networks.

 

Discovering your external attack surface is also critical to ensuring your applications are secure and up to date and cannot be accessed using stolen or leaked credentials. If an application was created in a test environment this increases your risk of cyber attack as vulnerabilities exist and there is a lack of authentication to keep cyber criminals at bay.

 

Conducting continuous and automated security hygiene checks into your applications and applying relevant security controls can help remove those issues that may jeopardise the company.

 

Real-time threat intelligence is key to taking a proactive approach to preventing credential theft, automatically detecting compromised credentials enabling you to act quickly and recover credentials in the underground belonging to customers, internal users or third-party suppliers before it’s too late. Reducing the risk of malware infections and ensuring your security posture and compliance is maintained.

 

Stolen credentials pose a worrying threat to businesses, because there is very little that can be done to identify and detect once an intruder is inside your system.

 

As an organisation, you need to have constant visibility into what is happening to your credentials outside the business, especially those that conduct business online. Therefore, it is important to proactively monitor stolen credentials and have robust security controls and threat intelligence in place to reduce risk of data breach.

 

---

 

Victor Acin is Labs Manager at Blueliv, an Outpost24 company

 

Main image courtesy of iStockPhoto.com