Hackers using stolen credentials to launch attacks as info-stealing peaks

Attackers prefer compromised valid accounts over phishing or any other infection methods to gain access into victim environments, according to an IBM report.

“As defenders increase their detection and prevention capabilities, attackers are finding that obtaining valid credentials is an easier route to achieving their goals, considering the alarming volume of compromised yet valid credentials available — and easily accessible — on the dark web,” IBM said in the report.

The report, which is based on IBM X-Force’s penetration testing data from incidents in 2023, also found security misconfigurations and poor authentication enforcement as top application security risks opening organizations to identity-based attacks.

Additionally, the report identified a drop in enterprise ransomware incidents as organizations either had tools to prevent such attacks or were prepared to refuse payment in favor of rebuilding infrastructure if attacked.

Attackers preferred using available hacked credentials

Thirty percent of all the incidents X-Force responded to in 2023 were from abusing valid accounts as it became the most common entry point into victim systems for the year. There was a 71% year-over-year increase in the volume of such attacks, according to the report.

Following closely as the second most used initial access vector, phishing lost its top spot in 2022, recording a 44% drop in the volume of attacks. The X-Force team attributed the significant drop to the continued adoption and revaluation of phishing mitigation techniques and strategies, on top of attackers shifting to valid accounts.

“In terms of phishing, while I believe that the threat remains in the critical category for organizations, because many phishing campaigns seek account credentials as the primary outcome, if cybercriminals have access to valid account credentials via other means (as noted in the report), the need to run a phishing campaign will decline,” said Michael Sampson, principal analyst at Osterman Research. “If this trend continues, we could expect to see future phishing campaigns becoming ever more targeted as cybercriminals seek to compromise accounts that they can’t get via other means.”

Lack of basic security opened organizations to attacks

The report identified “security misconfigurations” as the top web application risk as they accounted for 30% of all application vulnerabilities, with “allowing concurrent user sessions” in the application being the top offense, which could weaken multi-factor authentication (MFA) through session hijacking.

Identification and authentication failures, at 21%, were the second leading risk including weak password policies such as Active Directory password policies (19%), usernames verifiable through errors (17%), Server Message Block (SMB) signing not required and URLs containing sensitive information at 8% each.

Apart from just being a concern, lack of security due diligence also contributed to a large number of actual attacks in 2023 as the report indicated that in 84% of critical infrastructure incidents, the initial access vectors could have been mitigated with basic security routines.

“For a majority of incidents on critical infrastructure that X-Force responded to, the initial access vector could have been mitigated with best practices and security fundamentals, such as asset and patch management, credential hardening, and the principle of least privilege,” the report added.

Decline in ransomware attacks

Ransomware incidents observed an 11.5% drop in 2023, which can be attributed to larger organizations being able to stop attacks before ransomware is deployed and sometimes also opting against paying and decrypting in favor of rebuilding if ransomware takes hold, according to the report.

“Yes, there is global pushback on paying a ransom, although this may just push the payment and disclosure of payment away from public disclosure,” Sampson added. “In terms of rebuilding infrastructure, it can be done, but it requires a disciplined process of frequent backup and strong recovery protocols to be established before a successful ransomware infection. If those aren’t in place before an infection, the organization is out of luck. Backup has become a critical business resilience priority, not just an IT maintenance issue.”

Threat actors who have previously specialized in ransomware are showing increasing interest in info stealers, according to the report.

“These shifts suggest that threat actors have revalued credentials as a reliable and preferred initial access vector,” added the report. “As threat actors invest in infostealers to grow their credential repository, enterprises are pushed into a new defense landscape where identity can no longer be guaranteed.” There was a 266% increase in infostealer-related activities in 2023 compared to 2022, with several new infostealers debuting in the latter half of 2022, such as Rhadamanthys, LummaC2 and StrelaStealer. The uptrend of these info-stealing activities has likely contributed to the rise in abuse of valid accounts, the report added.


Go to Source