#HowTo: Avoid Credential Abuse

Every year, when we look at the Verizon Data Breach Report and other industry surveys, malicious use of credentials occurs in more 80% of breaches worldwide. The most common way to start a cyber-attack is by impersonating real users by using credentials found on the dark web, harvested through phishing attacks, or using password spraying techniques. Once credentials have been compromised to gain a foot in the door, attackers might then work to achieve privileged access by gaining control of the credentials of a more privileged user.

This type of abuse is done for many different reasons. Examples include getting access to install ransomware onto a critical server or computer, downloading confidential information to use as a ransom or accessing accounts that could be used to reset passwords to multiple websites. The list goes on.

Don’t Get Stuffed Again 

Credential stuffing is a widely used technique by cyber-criminals. Typically, most users will have an average of three to five different passwords for different online services, maybe with few variations, like a number at the end of the password. Because of this poor password practice, the use of credential stuffing can be really effective. 

Bulk attacks are commonly used when targeting consumers, such as getting access to online accounts to make purchases and personal bank accounts. It’s also very common to use those attacks to install ransomware within a company network. Additionally, botnets are pretty effective at performing credential stuffing quickly. They are widely used to access routers and IoT devices using a password spraying technique with common and default passwords for devices, such as ‘admin.’ They can also be used to automate the attack process, launching simultaneous attacks, which gives less time for companies to react.

In a recent high-profile example of credential stuffing, hackers got hold of 500,000 Zoom credentials when their usage skyrocketed in April 2020 due to the pandemic. They collected credentials from the dark web and from different breaches and used them to try and log in to Zoom accounts. Zoom itself was not hacked or exposed; the problem was caused because users tend to use the same password everywhere.

Targeted attacks usually take more time and require a strategy to achieve specific objectives. For example, we have seen attacks targeted at managed service providers (MSPs) to steal credentials from anyone from the MSP’s technical team. With those credentials, cyber-criminals can potentially get access to computers in multiple companies managed by the MSP. This is a very smart way to reach dozens of companies by targeting just one.

The Importance of MFA 

The death of the password has been predicted for some 20 years – but they are still the most common form of authentication. But there is another, simple way. Two-factor authentication (2FA) or multi-factor authentication (MFA) can help to solve this problem. A recent document from Gartner from May 2020 said that because of the pandemic, companies that don’t implement MFA would have five times more chance of being attacked than companies with it. With MFA, even if the password is compromised, there are one or more additional factors protecting the users’ login. 

Yet, if it makes so much sense, why doesn’t everyone use MFA? It really depends on what they are trying to protect. Login to computers, remote access and VPNs, for example, are very common cases and usually don’t require too much work to implement MFA. Some legacy applications might be more complicated if they don’t offer any type of standard integration with MFA, but this can be overcome.

To integrate MFA, cloud applications will depend on supporting standards like security assertion markup language (SAML), a common and simple way to integrate cloud applications with an identity provider. It gives an additional benefit of web single sign-on to protect the cloud applications while removing the need for users and admins to create or manage application passwords. Some cloud applications are already taking measures to ensure all users will use MFA, and Salesforce is a great example. It recently announced that after 1 Feb 2022, everyone will have to use MFA.

The benefits are clear, but many companies still see MFA as costly and complex to deploy and manage. However, new cloud-based MFA solutions take away much of the pain and up-front investment of deploying MFA, even for smaller businesses that do not want to install and manage servers inside their networks. By managing MFA all from the cloud, implementation can be done in hours, not weeks, and ongoing management such as adding a user or application is quick and simple. Cloud-based MFA dispels the view that MFA has always been out of reach for SMEs due to cost, complexity and management issues – so there is no excuse. 

What’s Hot on Infosecurity Magazine?