Credential Harvesting and Initial Access: What Are They and How Can I Hit Back?

Written by

When it comes to cybersecurity, there’s usually much more than meets the eye. Take the phrase ‘cyber-attack.’ It might conjure up the impression of a one-off, explosive event. Yet, in reality, most attacks comprise multiple stages – from initial reconnaissance to lateral movement and finally ‘mission complete.’ The first step towards disrupting an adversary is understanding how they gain initial access, and the outsized role credential harvesting still plays in these efforts.

The good news is that there’s plenty that security teams can do to mitigate these threats.

It Starts with Credentials

Although multi-factor authentication is recommended best practice for enterprise security, many accounts are still protected only with a username/password combo. Unfortunately, this is exactly what threat actors are looking for to gain or increase access to a targeted system. They may do it via simple phishing, with input capture tools like keyloggers or credential stealer malware like RedLine and Raccoon.

There are many types of the latter available on cybercrime sites. A January 2022 sweep of two such sites – Amigos Market and Russian Market – found a combined 1.5 million compromised accounts linked to RedLine alone. A threat actor might want to use such tooling themselves or simply buy ready-made exfiltrated logs from someone who has already done so. Attackers might also probe bash history, private key files, registries, system administrator notes, files and credentials hardcoded in scripts or applications.

Moving Through the Gears

Credential theft is a critical element of initial access, alongside vulnerability exploitation and the brute-forcing of services such as remote desktop protocol (RDP), SSH and virtual network computing (VNC). Threat actors such as ransomware groups are increasingly turning to specialists, known as initial access brokers (IABs), to provide them with access. It could be a VPN appliance, a content management system, a Citrix gateway or any number of other critical enterprise systems. The IAB market is big and growing as cyber-criminals look to outsource more of their workload.

Following initial access, threat actors often drop a webshell into their victim’s environment to enable persistent access and the ability to install new tools or collect additional info about the system. These might use privilege escalation exploits or credential harvesting to access other machines on the same network and achieve lateral movement.

Layering up Defenses

Fortunately, there’s a great deal that security teams can do to spot and block such activity before an incident has turned into a full-blown breach. Threat intelligence is a critical aid to minimizing cyber-risk here. If organizations know what to look for and where, they’ll be better equipped to respond and build resilience into their systems rapidly.

The kind of information that could prove most useful here is what type of access IABs are currently selling and how they typically target similar organizations. For example, teams should have a keen risk-based view of which vulnerabilities are being exploited in the wild in attacks on their peers. Look out too for corporate credentials circulating on the dark web. By acting quickly, it’s possible to reset passwords before they’ve been sold to would-be attackers. Insight into supply chain products and areas of possible weakness is also helpful, as is continuous monitoring of new domain registrations aimed at spoofing legitimate corporate domains.

This kind of intelligence will require scouring multiple sources, from corporate endpoints to dark websites. Scanning is also possible for the presence of credential theft, webshell and other malicious tools. The key is to shine a light on those who would prefer to stay hidden and to layer up defenses, so there are more filters to trap them.

What’s hot on Infosecurity Magazine?