Four Tips to Combat Compromised Credentials

, , ,

Contributing Author Brett Williams , APAC Solutions Architect, Flashpoint discusses the key steps needed to protect against a compromised credential breach.

In many cases, passwords are the primary line of defence protecting user accounts from being hijacked in an account takeover (ATO) attack. With the right policies and parameters in place to ensure strong, unique passwords, this defence can be quite effective. That being said, as we all know, passwords are highly susceptible to human fallibility.

In the latest Notifiable Data Breach report (covering breaches in Australia for the last half of 2019)* issued by the Office of the Australian Information Commissioner (OAIC), it was found that 68% of breaches were related to compromised credentials.  Of which 36% of the credentials were obtained by phishing and 32% were from other methods.  These methods could include credential-stealing malware and compromised databases/websites.

 

In addition, there is an overlap between personal and work-related account passwords. With the rise of credential stuffing, adversaries can take a set of username/password combinations obtained by attacking one target and use them to compromise employee or customer accounts with other organizations. Easier yet, threat actors can even carry out credential stuffing using the low-hanging fruit of publicly disclosed dumps available on the open web.

Such activity can pose a business risk on several fronts—from the financial and reputational costs of fraud against customer accounts to the potentially massive impact of adversaries gaining privileged network access through ATO against an employee account.

More recently, the COVID-19 pandemic continues to be reflected in cybercriminal activities. Malicious actors are taking advantage of global fear and uncertainty and exploiting them through attack vectors that include tailored phishing lures and custom malware.  For instance, continuous and long-term working from home can create a sense of isolation in employees, which in turn can lead to low morale.  This environment (combined with the anxiety introduced by the COVID-19 pandemic) can increase individuals’ susceptibility to malicious social engineering attempts to collect credentials to be used in attack campaigns against corporate remote access infrastructure. For many organisations, usernames and passwords are their only line of defence into remote access to critical enterprise systems.

With the surge in remote working, video conferencing solutions, such as Zoom,  has seen a sharp increase in usage., In April 2020, reports surfaced that over 500,000 Zoom accounts* were sold across the dark web marketplaces likely for use in “zoombombing” or other malicious activities. These credentials were likely obtained as a result of credential stuffing attacks.

In the ecosystem related to credential stuffing operations, it is very common for threat actors performing the account checking to leverage combo lists (aggregated lists of previously leaked credentials) containing millions of potential credential pairs (email: password) to create a validated list of accounts.  This technique can then be used for fraud activities and to launch attacks against websites and applications.

As the technology and tools to leverage stolen credentials advance, a more thoughtful approach to your organization’s password policy is a highly effective way to reduce risk by better protecting your customers, network assets, and employees. While there’s no one-size-fits-all approach to optimizing password policy, the following four measures and best practices are worth considering:

  • Monitor for Compromised Credentials – Dumps containing compromised passwords, usernames, and other credentials are easy pickings for threat actors, and employee or customer accounts using these credentials are ripe for the taking. By monitoring public dumps and leaks privately shared and sold only within illicit online communities, defenders can assess the exposure of accounts they’re tasked with safeguarding and take proactive action against ATO.

While establishing the data collections and technology required to automatically monitor, process, and act upon compromised credentials data is extremely talent and resource-intensive, organizations can gain these capabilities through a trusted partner. In doing so, defenders can augment traditional password policy best practices with the ability to take action based on indicators observed within the cybercrime underground.

  • Use a Password Manager – While in many circles it’s become conventional wisdom, it bears repeating: password managers are an easy, efficient way for users to maintain unique passwords for each account. That being said, a word of caution is in order: not all password managers are created equal, and using a password manager that is insecure or unreliable can lead to all of a user’s passwords being lost or compromised at once.
  • Know When to Reset Passwords – While long accepted as a best practice, cybersecurity leaders are increasingly coming around to the realization that automatically forcing password resets at a specified time interval—such as every 90 days—does not reduce the likelihood of accounts being compromised. On the contrary, forcing users to frequently come up with new passwords can encourage them to reuse a password they’re already using for another account or simply make a slight modification to an existing password. The most effective policy is to only reset passwords known to have been exposed in breaches, which can be accomplished by monitoring for compromised credentials and simultaneously make users comfortable with using complex passwords or phrases.
  • Enforce Complexity and Uniqueness Standards – Case-sensitive combinations of letters mixed with special characters are exponentially more difficult for automated brute-forcing tools to mathematically guess than simple combinations of words and numbers—and the longer the password the better. And while it’s unlikely that users will be able to memorize lengthier, more random credentials, adopting the aforementioned best practice of using a password manager makes it easy to implement and enforce strict standards for complexity and uniqueness.

While these best practices are not a comprehensive roadmap to strong password hygiene, they’re a great starting point for organizations that have taken laissez-faire or reactive stance when it comes to ensuring the security of user credentials. In particular, as the technology and tools to leverage stolen credentials advance, defenders should seek out innovative new ways to proactively flag exposed passwords leveraging insights gleaned from illicit communities and open-web dumps.

 

*https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/

 *https://www.bleepingcomputer[.]com/news/security/over-500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/

To Learn more about Flashpoint and Compromised Credential Monitoring: Click Here 

 

 

————————————————————————————————————————

 

Brett Williams Bio (https://www.linkedin.com/in/brettwilliams/):

 

As Lead Solutions Architect at Flashpoint, Brett works with clients to help them use intelligence within their enterprises and how deep and dark web monitoring should be an integral part of any threat intelligence program. He is responsible for providing relevant intelligence and services to address various use cases including, insider threat, cyber intelligence, anti-fraud, physical security and counter-terrorism. Brett is widely recognized for his extensive and in-depth knowledge of the security landscape. He has experience working across industry sectors including finance, government, law enforcement, healthcare and education. He has over 28 years’ experience working in information technology and security with a focus on incident response, intelligence, security operations and digital forensics.

 

 

/by

The 3 Types of Cyber Threat Intelligence – Which one are you using?

, , ,

 

By Alex Duffy, CSO emt Distribution 

CYBERTHREAT INTELLIGENCE (CTI) is not a buzz-phrase; it’s an essential pillar of a mature cybersecurity strategy. When used and applied correctly, CTI can help security teams prepare for, and defend against, the evolving threat landscape. CTI gives organisations evidence-based, mature and effective cybersecurity strategies. 

There are levels of maturity to using and understanding CTI. With each level of maturity, the context and analysis of threat intelligence becomes deeper and more sophisticated, caters to different audiences, and requires more investment. 

CTI comes in three levels: tactical intelligence, operational intelligence and strategic intelligence. 

Tactical intelligence is the level most commonly used by organisations and represents first level maturity of cyber threat intelligence. It is based on real-time events, investigations and/or activities and provides day-to-day support to operations. Many may use it in their security information and event management (SIEM) tools or on perimeter firewalls, and it consists of indicators of compromise, and files hashes, malicious IPs and domains. These usually have a short life span, as IPs and domains can be repurposed or taken down in days or even hours. 

Operational intelligence is data that is designed to drive your day-to-day decision making, resource allocation and task prioritisation. It contains the technical direction of threat actors, indicators of targets and can contain the threats malicious tactics, techniques and procedures (TTPs).  Operational intelligence has a longer shelf life because adversaries can’t change their TTPs as easily as they can change their tools like types of malware they use.  

Cybersecurity professionals that manage vulnerability management, incident response and threat monitoring are the biggest consumers of operational intelligence as it can help them focus and prioritise their work.  

Strategic intelligence is high-level cyber intelligence, usually containing information about foreign policy, global events and internet-based risks against organisations. This intelligence is vital for C-suite executives to allocate budget and align their cyber goals towards real-world objectives. For example, a mining company can review the analysis that the mining sector is under increasing attacks, and can then react appropriately by investing resources into strategic cyber defences. 

Strategic intelligence tends to be the hardest form of intelligence to collect. It requires human collection and analysis to understand both cyber security and the worlds geopolitical situation. Strategic intelligence is usually consumed through the use of reports.  

CTI increases your organisation’s ability to not only defend itself against current attacks and threats, but also to predict future attacks. The trick is to choose the right intelligence for your needs, and to make the sheer volume of intelligence actionable, whether it be reactive, proactive or futureproofing. 

 

See how Flashpoint and ThreatConnect  can help you incorporate all three levels of cyber threat intelligence

_________________________

This is an extended post from our original article which was first published in AISA.org’s Cyber Cyber Conference Magazine.

 

/by

Flashpoint Intelligence on APAC-ANZ Cyber Activity to Guide Upcoming Risk Decisions

, , ,

Author:  Aaron Shraberg, Flashpoint

 

Geopolitical and economic tensions between the United States, China, and North Korea figure to steer risk management decisions in the Asia-Pacific region for the coming months. Organisations, such as some recently targeted financial services institutions in Australia and New Zealand, should closely monitor cyber and political activity in the area.

The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC. While most threat actors targeting organisations in the region are financially motivated, nation-state activity remains a potent threat against government and diplomatic entities, as well as financial organisations as nations such as North Korea continue to fund operations through hacking.

Political and Economic Events to Watch

As 2019 progresses, the ongoing trade conflict between the U.S. and China could spur an uptick in cyber activity against the U.S. and its closest Five Eyes allies, further eroding the Xi-Obama agreement to cease China’s industrial espionage activity for economic gain.

Last year, a limited number of named APT outfits operating in the region were alleged to be behind high-profile compromises and thefts of data and/or funds from global financial institutions, attacks on various multinational firms via third-party providers, and campaigns against the cryptocurrency industry.

North Korea is likely to remain a stressor in the region. It is unlikely to unilaterally disarm its nuclear program, and will likely ramp up its cyberattacks against APAC, ANZ, and Western financial institutions, as well as cryptocurrency exchanges in order to finance the regime and its activities. Organisations should also monitor unresolved disputes over ownership and militarisation of parts of the South China Sea, debates over the integrity of Huawei and ZTE devices in Western networks, and other events in the region that could impact businesses in ANZ and APAC.

While some criminal organisations operating in ANZ and APAC are believed to be behind Eastern European outfits in terms of experience and capabilities, APT activity from China and North Korea is considered highly advanced. Organizations in the region should be aware of campaigns linked to criminal or nation-states in the area, and some of the tactics, techniques, and procedures (TTPs) employed by these groups.

Advanced TTPs Coming out of APAC-ANZ

Some TTPs include commonplace first-stage attacks such as phishing or spear-phishing emails and watering hole attacks. These groups also have at their disposal banking Trojans, malware that seeks out and steals credentials, and ransomware, among others. Many criminal groups are proficient in activity to facilitate carding and reshipment fraud, the theft and sale of personally identifiable information, as well as more technically involved operations, including the sale of compromised RDP hosts, developing proxy and anonymization tools (to circumvent law enforcement and censorship efforts), and other tactics to carry out fraud.

Some attackers are also making use of publicly available exploits for common vulnerabilities in Apache Struts, Oracle products, Adobe Flash, Microsoft Office and others. Most of these vulnerabilities have already been publicly disclosed and patches are available, meaning that threat actors are opportunistic in the region, capitalising on lax patching efforts, or under-resourced IT organizations to exploit these security flaws.

Already this year, financial institutions in Australia, Japan, and elsewhere have reported being targeted by a new spam campaign using the Hancitor dropper to infect machines with the Gozi information-stealing malware. Gozi, also known as Ursnif, packages up banking and other account credentials from an infected machine and exfiltrates them to an attacker-controlled server. Variants of the banking malware have been active since 2014 and frequently target Microsoft Office vulnerabilities to gain a foothold on unpatched machines.

Malware-based attacks aren’t the only means of profit for threat actors in the region. Late last year, several Chinese-language Deep & Dark Web forums contained posts advertising the availability of fraudulent identification cards from Australia, New Zealand, several locations in Europe, as well as North America. The fraudulent documents would allow, in some regions, the ability to travel without additional visas, vote in elections, or open bank accounts, for example. Another post also advertised processing of identifications and passports from Australia, New Zealand, Canada, France and Germany, opening the door to citizenship in some of those locations, in addition to the previously mentioned capabilities.

Assessment

Enterprises in Asia-Pacific, Australia, and New Zealand will have impending risk management decisions guided in some part by the fragile geopolitical and cyber climate in the region. As the U.S., China, and North Korea tug at each other’s shirttails in cyberspace and in the political arena, businesses will continue to be targeted by criminal and state-sponsored outfits operating in APAC and ANZ. Any erosion of these diplomatic or economic relationships will trickle down to businesses in the area, and threat activity targeting countries and companies in APAC-ANZ will be influenced accordingly.

 

About the Author

Aaron Shraberg is Senior Analyst on the Asia-Pacific intelligence team at Flashpoint. He speaks Mandarin and specialises in analysing key trends, threat actors, and campaigns emanating from the region, with an emphasis on China. Prior to Flashpoint, Aaron held roles in foreign policy and national security research for organisations including the Institute for International Economic Policy, DGI, and Kharon. He received a bachelor’s degree in literature from the University of Kentucky and a master’s degree in Asian studies from The George Washington University.

Flashpoint empowers organisations worldwide with meaningful intelligence and information that combats threats and adversaries. Headquartered in New York, Flashpoint has offices in Melbourne, Australia and is distributed in Oceania and South East Asia by emt Distribution.

/by