Credential Harvesting and Compromise

Security

April 25, 2024

Credentials provide a way to authenticate users and control access to online accounts, email systems, network resources, and more. Threat actors attempt to harvest or steal these credentials primarily through phishing and other methods. Keylogging malware records users’ keystrokes, including usernames and passwords. Brute force attacks use automation to identify the correct combination of usernames and commonly used passwords. In man-in-\ the-middle (MITM) attacks, threat actors intercept communications between two parties to capture login account credentials. In credential stuffing attacks, threat actors use credentials obtained in data breaches to access other accounts utilizing the same username/password combinations.

Credential harvesting allows threat actors to compromise further accounts, escalate privileges, exploit vulnerabilities, move laterally within a network, deploy malware, and breach data. Data breaches can result in additional exposure or theft, leading to financial loss, reputational damage, and legal ramifications. Over the past three years, infostealer malware has significantly increased, in which threat actors compromised business and personal devices and exfiltrated millions of credentials, usually sold on dark web forums to other threat actors looking to compromise accounts or conduct further malicious activity.

Although convenient to users, password reuse across multiple accounts is a risky behavior that can result in account compromises. Password reuse was evident in the Roku credential stuffing attack earlier this year. Threat actors obtained credentials from third-party sources or the dark web and used them to access Roku accounts and purchase streaming subscriptions. Roku encountered a similar data breach this month and enforced multi-factor authentication (MFA) for all Roku accounts, even those not impacted by the data breach.

Similarly, Cisco warned of brute-force password spray attacks related to reconnaissance efforts and directed at remote access virtual private networks (VPNs) from Cisco and third- party providers connected to Cisco firewalls. Almost a month later, Cisco warned of large- scale, global credential brute-force attacks conducted against VPN, Secure Shell (SSH), and web application services. However, the attacks do not target a specific geographical region or industry. If attacks are successful, organizations may experience account lockouts, unauthorized network access, and denial of service. Although both instances are not conclusively linked, infrastructure and technical overlaps exist. Cisco issued guidance in their advisory, including recommendations and indicators of compromise (IOCs), which are likely to change and be updated.

Additionally, the Akira ransomware group initially focused on Windows systems and is now targeting Linux machines, a preferred operating system for many server functions hosting critical applications and sensitive data, especially in finance, healthcare, government, and education. Initial access is through credential harvesting and a VPN service without MFA configured, mainly exploiting known Cisco vulnerabilities. Threat actors are adapting to the open-source nature of Linux to quickly analyze and exploit vulnerabilities, perform large- scale attacks, and maximize the likelihood of payment.

Recommendations

  • Participate in security awareness training to help better understand cyber threats, provide a strong line of defense, and identify red flags in potentially malicious
    communications.
  • Use strong, unique passwords and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
  • Keep systems up to date and apply patches after appropriate testing.
  • Install endpoint security solutions to help protect against malware.
  • Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
  • Implement email filtering solutions, such as spam filters, to help block messages.
  • Employ tools such as haveibeenpwned.com to determine if your PII has been exposed via a public data breach.
  • Review the Identity Theft and Compromised PII NJCCIC Informational Report if your PII has been compromised.
  • For any further questions, contact us here at Cyber Command.