Password-Guessing Is the Attackers’ Latest Weapon of Choice
By Ekaterina Khrustaleva, Chief Operating Officer, ImmuniWeb
In January 2022, the New York Attorney General Letitia James revealed the results of major investigation into credential stuffing attacks. More than 1.1 million compromised accounts at 17 well-known companies were discovered during the investigation.
She explained that “right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stands in jeopardy.”
This kind of cyberattack when threat actors use stolen credentials from one service to attempt to break into accounts on various other services using automated tools is called credential stuffing. Threat actors obtain these credentials – usernames and/or email addresses paired with the corresponding passwords – from data breaches. Data breaches occur all the time, and hackers steal user databases and using stolen credentials try to break in corporate networks. In other words, if your employee uses the same password for his or her social network account and a corporate network, this raises the chances that your enterprise will be hacked.
Considering that very often people don’t bother to change their passwords on regular basis, even old stolen databases from previous data breaches from many years ago – like the infamous LinkedIn hack in 2012 – could be helpful in breaching today’s organizations.
There’s no need to hack the social media service to get the database. The threat actor simply can visit illicit marketplaces on the Dark Web and buy one – or even get it for free – for their nefarious purposes. For example, this could be the COMB21, the biggest known compilation of password leaks published a year ago. The collection consists of 3.28 billion passwords connected to 2.18 million unique email addresses.
Back in 2019, the ImmuniWeb research team exposed millions of stolen corporate credentials available on the Dark Web, which can be exploited by cybercriminals for spear-phishing and credential stuffing attacks against Fortune 500 companies.
We found over 21 million (21,040,296) credentials belonging to Fortune 500 companies, amid which over 16 million (16,055,871) were compromised during the last 12 months. As many as 95% of the credentials contained unencrypted, or brute-forced and cracked by the attackers, plaintext passwords.
We found that the most popular sources of the exposed breaches are third parties (e.g. websites or other resources of unrelated organizations); trusted third parties (e.g. websites or other resources of partners, suppliers, or vendors); or the companies themselves (e.g. their own websites or in-house other resources).
More recently, credential stuffing attacks on remote Windows systems became the attackers’ weapon of choice in 2021 as the most people were working from home because of the COVID-19 pandemic. In total, last year’s credential stuffing and other password-based attacks accounted for 46% of external network intrusion vectors. Indeed, threat actors attempted to brute-force vulnerable Remote Desktop Protocol (RDP) servers, SQL databases, and SMB file shares.
Many organizations are highly exposed to credential stuffing attacks because of insufficient multi-factor authentication (MFA). In times where overall cybersecurity hygiene is largely deficient, password spraying and credential stuffing attacks are preventable by enabling MFA, restricting access to the accounts from specific networks or at least countries, and can be easily spotted by anomaly detection systems. Moreover, a properly implemented Dark Web monitoring process should alert organizations quickly about stolen credentials to be urgently decommissioned. These are the very basics of information security.
Besides the MFA, a good password policy is recommended. Compliance with up-to-date, password guidelines is important. Passwords containing certain non-secure qualities should be forbidden, including:
- Passwords obtained from previous breach corpuses
- Dictionary words
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
- Context-specific words, such as the name of the service, the username, and derivatives thereof.
Using over-complicated passwords and frequent forced changes are not recommended measures as they can be counter-productive. Employees start writing them down and leaving them on their desks, use very similar passwords after every password update, or even invent one complicated global password for all their accounts.
OWASP also recommends limiting the number of failed login attempts for each user and introducing an increasing delay between each permitted attempt, to counter credential-based attacks. Implementing bot detection systems, password-less authentication and web application firewalls is also recommended.
In conclusion, we have come a long way from when Edward Snowden revealed the mass surveillance programs of the US government, and many of us decried, “I have nothing to hide, and if someone wants to see my Facebook account, they can do it”. But things have changed since and this point of view is no longer the case. What hasn’t changed is that a lot of people still reuse their passwords.
If your employee – who “has nothing to hide”– uses the same login credentials for different services including corporate services and networks, prepare to be the subject of a cyberattack sooner or later.
About the Author
Ekaterina Khrustaleva, Chief Operating Officer, ImmuniWeb. She is a Swiss business executive with over 10 years of experience in cybersecurity sales. Holding a Bachelor’s degree in Accounting and Finance, Ekaterina accomplished executive programs on cybersecurity at Harvard University, blockchain at Oxford University, and organizational leadership at IMD in Lausanne. Being a mother of four, she currently pursuing her MBA.
Ekaterina started her career in the private banking and family office industry in Geneva, where she was inspired by the emerging cybersecurity market. Ekaterina decided to join the cybersecurity industry in 2010 as a sales executive. In 2013, after several promotions for outstanding performance and creative sales tactics, Ekaterina became Chief Operating Officer of a leading penetration testing company High-Tech Bridge in Geneva. Today, Ekaterina manages ImmuniWeb’s global sales operations.
Speaking five languages, she is also in charge of global partnerships and strategic alliances at ImmuniWeb. Ekaterina is a member of ISACA and is a Certified Data Privacy Solutions Engineer (CDPSE).
Ekaterina can be reached online at email@example.com
and at our company website https://www.immuniweb.com/