Credentials are widely used as a security control to protect an organization’s network infrastructure and information assets. As such, credential theft is typically part of the initial stage of a cyber-attack. Once cybercriminals have obtained valid credentials, they can often operate undetected throughout a network and dive deeper to uncover more sensitive or confidential data held by the organization.

As we have seen from the ransomware attacks to date, credential theft can often lead to ransomware. Once attackers gain access to valid credentials, they then look to gain access to company networks and systems, including access to Active Directory. Once they gain access, threat actors can use the AD to exploit privileged user accounts and map out the organization’s network. Access to privileged admin accounts can enable attackers to avoid detection and move laterally across the network to discover more high-value information assets to exfiltrate while infecting more machines with ransomware. Lateral movement is a technique used by cybercriminals to avoid detection and prolong their attack.

The AD also has a group policy feature that helps administrators manage the domain-joined devices and users in the network. Attackers can exploit the AD’s group policy to deploy ransomware across the organization’s AD-connected devices and encrypt domain-joined systems. 

Earlier this year, cybersecurity giant Norton Lifelock Password Manager fell victim to a significant credential-stuffing attack. The attack involved threat actors employing stolen login credentials to gain unauthorized access to customer accounts and potentially sensitive information. More than 925,000 individuals were affected by this breach. As a result, Norton was compelled to notify over 6,500 of its customers that their personal data had been compromised, underscoring the ever-present and evolving challenges in safeguarding online security.

There are various tools and techniques that cybercriminals use to attempt credential theft and gain unauthorized access to accounts or systems, such as:

Brute Force

A trial-and-error technique that uses automated software to identify valid login credentials. This software will attempt to guess different combinations of usernames and passwords within a matter of seconds until it successfully “brute forces” its way into the user account. To date, brute force attacks have been known to work even with more complex passwords.

Password Spraying

Unlike brute force attacks which focus on a single account, password spraying focus on the volume of targeted accounts. This attack is commonly dubbed the “low and slow” approach of hacking passwords. Cybercriminals would take commonly used passwords and try to access each account within the organisation. Attackers avoid getting account lockouts with this approach, as they first use one common password against many accounts before attempting to use a second password. 

Phishing

As we have seen this year, this social engineering attack is commonly email-based whereby cyber criminals attempt to trick users into directly providing their credentials. Cybercriminals would either impersonate a fellow colleague or a third-party vendor or service, in order to lure users into clicking on a malicious link. This link generally directs users into a login landing page where they are prompted to enter their login details. Even though the details entered may be correct, the user may receive an ‘error’ message which may prompt the user to re-enter credentials from another valid account.

Intercepting Internet Traffic

As a more technological technique to steal credentials, attackers can monitor internet data or packets through Wi-Fi networks. The cybercriminal essentially ‘sits’ between the user’s device and their Internet connection. They can then watch all the incoming and outgoing network traffic using an internet packet sniffer software program. Wi-Fi routers with weak passwords and the use of unencrypted internet connections (HTTP) are particularly vulnerable to this hack.

Credential Threat Stuffing

Compromised credentials can often be found on the dark web, which can be purchased by other threat actors to execute credential stuffing attacks. Cybercriminals can also use compromised credentials from a previous hack to attempt to break into accounts on other services. So, attackers simply input the stolen credentials for a particular account into various different services, in the hopes that the user has reused their password.

Keylogger

Keylogger attacks are generally carried out via malware stealthily installed on the user’s machine. This malicious software then simply monitors all of the user’s physical keystrokes. This means that the cybercriminal just needs to wait until the user types in their credentials.

It is important to identify credential theft attacks early in order to protect the organisation’s systems and data.

Shoulder Surfing

Shoulder surfing involves observing individuals as they enter sensitive information like passwords or PINs. Attackers often hide in crowded public places, using close physical proximity or hidden cameras to capture these valuable credentials. Whether you’re at a cafe, an ATM, or on public transportation, you’re vulnerable to this type of attack. It’s crucial to remain vigilant in these situations and take steps to shield your sensitive data from prying eyes. The goal for attackers is to gain access to your accounts or commit identity theft, emphasizing the importance of safeguarding your information in various real-world scenarios.

Dumpster Diving

With dumpster diving, instead of relying on digital methods, attackers resort to this physical approach to scour through discarded documents and materials. They search for anything that might contain sensitive information, such as financial records, account numbers, or personal data. What makes dumpster diving particularly worrying is that it can lead to various forms of fraud and identity theft. To protect against this threat, it’s crucial to implement proper disposal practices. Shredding documents before disposal and being mindful of what you discard can go a long way in safeguarding your confidential information. This is an important step in securing your sensitive data from ending up in the wrong hands.

In order to mitigate and best protect the organisation from credential theft, we recommend the following:

1.Define, implement and communicate a Password Policy.

This policy should outline the password construction requirements, how passwords should be stored and the account lockout threshold. A well-defined Password Policy should state that all passwords be a minimum of 12 characters and include a combination of uppercase and lowercase letters, symbols and numbers and should be changed every 90 days at a minimum. For privileged user accounts, these requirements extend to a minimum of 16 characters.

2.Active Directory Password

If available, the Active Directory (AD) password protection should be enabled. This eliminates ‘hackable’ or common passwords from being used within the organisation. The AD Administrator can also create a list of industry-specific or region-specific common passwords that cannot be used. This further eliminates attacks such as password spraying. Password spraying attacks can be detected early by being aware of these indicators:

Cybercriminals using this technique typically do not have an up-to-date list of username credentials. They may have purchased a list on the dark web or simply guessing. As an indicator of this attack, you may see invalid usernames or usernames of past employees being used.

As this attack focuses on the volume of accounts rather than speed, another indicator is a sudden spike in the number of failed login attempts in many accounts within a short period of time.

3. Privileged Access Management

A Privileged Access Management (PAM) solution can help manage and secure privileged users against brute force attacks. Privileged accounts are generally designated for special access and hold much greater capabilities than standard accounts, such as for administrative use in an organisation’s IT ecosystem. Typically, they are also more attractive to cyber threat actors due to the greater level of access they hold, which can mean an ease of access to far more sensitive information. PAM is essentially a comprehensive access security strategy which consists of organisational and technical controls in order to monitor and secure all privileged users and activities within the organisation’s IT environment.

4. Password Management

A password management tool, such as Keeper Security, can help enforce the organisation’s Password Policy and simplify password best practice as the user only need to remember 1 master password. It is also important to ensure that two-factor authentication (2FA) is used for accessing the password manager. 2FA adds another layer of security. This means a combination of two different authentication factors should be used:

something – you are (e.g. fingerprint), you have (e.g. phone), you know (e.g. PIN)

5. Attack Simulations

Conducting attack simulations, such as a brute force or the “low and slow” attack, can help organisations assess how secure the organisation’s credential security controls are. This simulation can also help create the list of banned passwords which can be enforced through the Active Directory.

6. Phishing Simulations

Phishing simulations should be carried out on a regular basis to help assess how employees interact with suspicious emails. The results of this simulation can help identify training needs. Those who fail the simulation can be given further phishing awareness training.

7. Automated Anti-Phishing

Automated anti-phishing tools can also be implemented as a user-friendly process. For example, Smarttech247’s NoPhish platform.  NoPhish enables users within an organisation to simply click on the NoPhish icon on their Microsoft Outlook. This immediately quarantines and sandboxes the email. Smarttech247’s security operations centre analysts then analyse the email. If the email is safe then it is returned to the user’s inbox. If not, Smarttech247’s analysts destroy the email and automatically update the organisation’s email security setting to prevent similar types of malicious email from bypassing the organisation’s email gateway. NoPhish uses artificial intelligence to extract data from emails and continuously improve the platform’s understanding of the email threats that organisations are currently facing.

To mitigate against credential theft from cybercriminals intercepting internet traffic, organisations can implement Virtual Private Networks (VPN). A VPN ensures that your network connection remains secure and encrypted. It is also important to ensure that secure internet use is included in the organisation’s Acceptable Use Policy. Outlining that users can only browse HTTPS encrypted sites or that they are not allowed to use unsecure public Wi-Fi.

Reach out to the Smarttech247 experts today!