Every year, billions of credentials appear online, be it on the dark web, clear web, paste sites, or in data dumps shared by cybercriminals. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, and data theft.
While CISOs are aware of growing identity threats and have multiple tools in their arsenal to help reduce the potential risk, the reality is that existing methodologies have proven largely ineffective. According to the 2022 Verizon Data Breach Investigations Report, over 60% of breaches involve compromised credentials.
Attackers use techniques such as social engineering, brute force, and purchasing leaked credentials on the dark web to compromise legitimate identities and gain unauthorized access to victim organizations’ systems and resources.
Adversaries often leverage the fact that some passwords are shared among different users, making it easier to breach multiple accounts in the same organization. Some employees reuse passwords. Others use a shared pattern in their passwords among various websites. An adversary can use cracking techniques and dictionary attacks to overcome password permutations by leveraging a shared pattern, even if the password is hashed. The main challenge to the organization is that hackers only need a single password match to break in.
To effectively mitigate their exposure, given current threat intelligence, organizations need to focus on what is exploitable from the adversary’s perspective.
Here are five steps organizations should take to mitigate credentials exposure:
Gather Leaked Credentials Data
To start addressing the problem, security teams need to collect data on credentials that have been leaked externally in various places, from the open web to the dark web. This can give them an initial indication of the risk to their organization, as well as the individual credentials that need to be updated.
Analyze the Data
From there, security teams need to identify the credentials that could actually lead to security exposures. An attacker would take the username and password combinations (either cleartext or hashed), then try to use them to access services or systems. Security teams should use similar techniques to assess their risks. This includes:
- Checking if the credentials allow access to the organization’s externally exposed assets, such as web services and databases
- Attempting to crack captured password hashes
- Validating matches between leaked credential data and the organization’s identity management tools, such as Active Directory
- Manipulating the raw data to increase the achieved number of compromised identities. For example, users commonly use the same password patterns. Even if the leaked credentials do not allow access to external-facing assets or match Active Directory entries, it may be possible to find additional matches by testing variations.
Mitigate Credential Exposures
After validating the leaked credentials to identify actual exposures, organizations can take targeted action to mitigate the risk of an attacker doing the same. For instance, they could erase inactive leaked accounts in Active Directory or initiate password changes for active users.
Reevaluate Security Processes
After direct mitigation, security teams should evaluate whether their current processes are safe and make improvements where possible. For instance, if they are dealing with many matched leaked credentials, they may recommend changing the entire password policy across the organization. Similarly, if inactive users are found in Active Directory, it may be beneficial to revisit the employee offboarding process.
Attackers are continuously adopting new techniques. Attack surfaces change, with new identities being added and removed on a routine basis. Similarly, humans will always be prone to accidental mistakes. As a result, a one-time effort to find, validate, and mitigate credential exposures is not enough. To achieve sustainable security in a highly dynamic threat landscape, organizations must continuously repeat this process.
However, resource-constrained security teams cannot afford to manually perform all these steps on a sufficient cadence. The only way to effectively manage the threat is to automate the validation process.
Pentera offers one way for organizations to automatically emulate attackers’ techniques, attempting to exploit leaked credentials both externally and inside the network. To close the validation loop, Pentera provides insights into full attack paths, along with actionable remediation steps that allow organizations to efficiently maximize their identity strength.
To find out how Pentera can help you reduce your organization’s risk of inadvertent credential exposure, contact us today to request a demo.
Around 40% of ethical hackers recently surveyed by the SANS Institute said they can break into most environments they test, if not all. Nearly 60% said they need five hours or less to break into a corporate environment once they identify a weakness.
The SANS ethical hacking survey, done in partnership with security firm Bishop Fox, is the first of its kind and collected responses from over 300 ethical hackers working in different roles inside organizations, with different levels of experience and specializations in different areas of information security. The survey revealed that on average, hackers would need five hours for each step of an attack chain: reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours.
The survey highlights the need for organizations to improve their mean time-to-detect and mean-time-to-contain, especially when considering that ethical hackers are restricted in the techniques they’re allowed to use during penetration testing or red team engagements. Using black hat techniques, like criminals do, would significantly improve the success rate and speed of attack.
Hackers find exploitable weaknesses in only a few hours
When asked how much time they typically need to identify a weakness in an environment, 57% of the polled hackers indicated ten or fewer hours: 16% responded six to ten hours, 25% three to five hours, 11% one to two hours and 5% less than an hour. It’s also worth noting that 28% responded that they didn’t know, which could be because of multiple reasons and not necessarily because it would take them more than ten hours.
One possibility is that many ethical hackers don’t keep track of how much time perimeter discovery and probing might take because it is not an important metric for them or a time-sensitive matter. Many factors could influence this, from the size of the environment and number of assets to their preexisting familiarity with the tested environment.
Over two-thirds of the questioned hackers indicated that they work or worked in the past as members of internal security teams and half said they served as consultants for offensive security providers. Almost 90% of respondents held an information security certification and the top specializations among them were network security, internal penetration testing, application security, red-teaming, and cloud security. Code-level security, IoT security and mobile security were less common at 30% prevalence or less.
“Our data shows that the majority of respondents with application security, network security, and internal pen testing experience were able to find an exploitable exposure within five hours or less,” Matt Bromiley, a SANS digital forensics and incident response instructor said in the report.
Around 58% indicated that they needed five hours or less to exploit a weakness once found, with 25% saying between one and two hours and 7% less than an hour. When asked to rank different factors that lead to exposures, the majority indicated third-party connections, the rapid pace of application development and deployment, adoption of cloud infrastructure, remote work, and mergers and acquisitions.
In terms of types of exposures they encounter most, the top place were misconfigurations followed by vulnerable software, exposed web services, sensitive information exposure, and authentication or access control issues.
“We also asked our respondents with cloud security experience how often they encountered improperly configured or insecure cloud/IaaS assets,” Bromiley said. “There’s an even split between ‘half the time’ and ‘more often than not.’ It’s only small percentages at either end that rarely see (4.6%) or always see (8%) misconfigured public cloud or IaaS assets. These stats support an unfortunate truth that … organizations develop and deploy applications that expose vulnerabilities, insecurities, and improper configurations for adversaries to take advantage of.”
Privilege escalation and lateral movement also happens quickly
The under five-hour time frame seemed to prevail across all other stages of an attack, with 36% of respondents reporting they could escalate privileges and move laterally through the environment within three to five hours after the initial intrusion, while 20% estimated they could do it in two or fewer hours. This remained consistent when it came to data collection and exfiltration with 22% of respondents indicating it would take them three to five hours, 24% between one and two hours and 16% less than an hour.
“We see a consistent theme of adversaries able to perform intrusion actions within a five-hour window,” Bromiley said in the survey report. “Whether it’s lateral movement, privilege escalation, or data exfiltration, security teams should be measuring their ability to proactively identify and detect and respond as quickly as possible.”
When it comes to the average time required to complete an end-to-end attack, most respondents (57%) indicated a time frame of less than 24 hours with another 23% saying they don’t know.
Good detection and response methods are effective
One potential good news for security teams is that only 38% of respondents indicated that they could “more often than not” successfully pivot to a new attack method that could bypass the defenses that blocked their initial attack vector. This indicates that having good detection and prevention methods in place pays off in blocking intrusion attempts, especially since criminals typically go for the path of least resistance and move on to an easier target if they don’t succeed.
Furthermore, 59% of respondents said they rely on open-source tools in their intrusions and 14% said they use public exploit packs. Only 6% use private exploits and 7% use custom tools they wrote themselves. This means security teams could get a lot of value from focusing on defending against known and public tools and exploits. Unfortunately, three-quarters of respondents indicated that only few or some organizations have detection and response capabilities in place that are effective at stopping attacks. Almost 50% said that organizations are moderately or highly incapable of detecting and preventing cloud-specific and application-specific attacks.
bleepingcomputer.com – The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies.
Tweeted by @DarkOperator https://twitter.com/DarkOperator/status/1575119328894242816
A Brazilian threat actor known as Prilex has resurfaced after a year-long operational hiatus with an advanced and complex malware to steal money by means of fraudulent transactions.
“The Prilex group has shown a high level of knowledge about credit and debit card transactions, and how software used for payment processing works,” Kaspersky researchers said. “This enables the attackers to keep updating their tools in order to find a way to circumvent the authorization policies, allowing them to perform their attacks.”
The cybercrime group emerged on the scene with ATM-focused malware attacks in the South American nation, providing it the ability to break into ATM machines to perform jackpotting – a type of attack aiming to dispense cash illegitimately – and clone thousands of credit cards to steal funds from the targeted bank’s customers.
Prilex’s modus operandi over the years has since evolved to take advantage of processes relating to point-of-sale (PoS) software to intercept and modify communications with electronic devices such as PIN pads, which are used to facilitate payments using debit or credit cards.
Known to be active since 2014, the operators are also adept at carrying out EMV replay attacks in which traffic from a legitimate EMV-based chip card transaction is captured and replayed to a payment processor like Mastercard, but with the transaction fields modified to include stolen card data.
Infecting a computer with PoS software installed is a highly-targeted attack incorporating a social engineering element that allows the threat actor to deploy the malware.
“A target business may receive a call from a ‘technician’ who insists that the company needs to update its PoS software,” the researchers noted. “The fake technician may visit the target in person or request the victims to install AnyDesk and provide remote access for the ‘technician’ to install the malware.”
The latest installments spotted in 2022, however, exhibit one crucial difference in that the replay attacks have been substituted with an alternative technique to illicitly cash out funds using cryptograms generated by the victim card during the in-store payment process.
The method, called GHOST transactions, includes a stealer component that grabs all communications between the PoS software and the PIN pad used for reading the card during the transaction with the goal of obtaining the card information.
This is subsequently transmitted to a command-and-control (C2) server, permitting the threat actor to make transactions through a fraudulent PoS device registered in the name of a fake company.
Now, it’s worth pointing out that EMV chip cards use what’s called a cryptogram to secure cardholder data every time a transaction is made. This is done so as to validate the identity of the card and the approval from the card issuer, thereby reducing the risk of counterfeit transactions.
While previous versions of Prilex circumvented these security measures by monitoring the ongoing transaction to get the cryptogram and conduct a replay attack using the collected “signature,” the GHOST attack requests for new EMV cryptograms that are put to use to complete the rogue transactions.
Also baked into the malware is a backdoor module that’s engineered to debug the PoS software behavior and make changes on the fly. Other backdoor commands authorize it to terminate processes, start and stop screen captures, download arbitrary files from the C2 server, and execute commands using CMD.
Prilex is “dealing directly with the PIN pad hardware protocol instead of using higher level APIs, doing real-time patching in target software, hooking operating system libraries, messing with replies, communications and ports, and switching from a replay-based attack to generate cryptograms for its GHOST transactions even from credit cards protected with CHIP and PIN technology,” the researchers said.
go.theregister.com – Russian cybercriminals were also caught targeting Europe with anti-Ukraine messages Meta says it has disrupted a misinformation network targeting US politics ahead of the 2022 midterm elections and o…
Tweeted by @looEyes https://twitter.com/looEyes/status/1574778873522360323