By Rudra Srinivas, Senior Feature Writer, CISO MAG

What are Credential Stuffing Attacks?

In credential stuffing attacks, threat actors leverage stolen or leaked credentials like usernames and passwords to break into user accounts illicitly. Adversaries launch a credential stuffing attack by adding a list of compromised usernames and passwords to botnets or automated tools that initiate the authentication process on various websites.

After compromising user accounts, attackers launch identity theft, phishing, impersonation scams, and other data abuse acts. They mainly obtain user credentials via data breaches or purchase them on the dark web underground markets.

Credential Stuffing vs Brute Force Attacks

In brute-force attacks, attackers guess passwords using dictionaries or common word combinations to penetrate user accounts. Whereas in credential stuffing attacks, hackers rely on legitimate credentials obtained from data leaks and misconfigured servers.

Successful credential stuffing attacks allow hackers to perform

• Trade compromised account credentials on the dark web.
• E-commerce frauds.
• Corporate espionage campaigns.
• Identity theft.
• Brand impersonation attacks.

Credential Stuffing Attack Landscape 

Compared to brute-force attacks, credential stuffing attacks are easy to execute and have a higher success rate because most users keep/reuse the same passwords for different accounts. This allows adversaries to compromise multiple accounts after gaining access to one account. The easy availability of stolen/leaked credentials in underground darknet markets has led to credential stuffing attacks and account takeover (ATO) attacks.

According to a report, the number of corporate credentials with plaintext passwords on the darknet market has increased by 429% since March 2020. Hackers can also monitor an organization’s corporate network and access sensitive data, intellectual property, competitive information, or funds. Several industry vectors have sustained the rise of credential stuffing attacks lately. As per a survey report, credential stuffing attacks on the media industry have increased. Nearly 20% of the 88 billion total credential stuffing attacks were reported on media and video streaming companies. The report also found a 63% year-over-year increase in attacks against the media sector, followed by broadcast TV (630%) and video sites (208%).

Prevention

Strong usernames and passwords won’t prevent hackers from accessing user accounts. Here are some security measures to protect online accounts against credential stuffing attacks:

• Enable passwordless authentication process.
• Use continuous authentication systems like biometrics or behavioral patterns to verify the user’s authenticity.
• Enable Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA).
• Avoid reusing leaked/breached credentials.
• Check whether your credentials or personal data have been leaked in any data breach at haveibeenpwned.

 About the Author:

 

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.       

More from Rudra.

 

The post What are Credential Stuffing Attacks and How to Prevent Them appeared first on CISO MAG | Cyber Security Magazine.

The Modus Operandi of the PLEASE_READ_ME Ransomware

The hacking operation begins with a password brute-force attack on the MySQL databases.

Once the database is compromised, the attacker strikes a sequence of queries into the server to gather data on users.

The information in the database is encrypted and sent to the attackers’ servers via a zipped file and then deleted from the server.

On successful execution, a ransom note is left demanding payment of up to 0.08 BTC.

The adversaries threaten to sell the stolen data to the highest bidder if the ransom payment is denied.

A Malwareless Ransomware

Guardicore researchers stated that PLEASE_READ_ME is a “malwareless” ransomware operation, which is active since at least the beginning of January 2020.  They also identified over 92 attacks that originated from 11 different IP addresses, mostly from Ireland and the U.K.

“The attack chain is extremely simple and exploits weak credentials on internet-facing MySQL servers. There are close to 5 million internet-facing MySQL servers worldwide. The attackers leave a backdoor user on the database for persistence, allowing them to re-access the network. Monetization of the campaign has evolved into a double extortion attempt – publishing and offering data for sale to pressure victims into paying the ransom. What drove us to closely monitor this threat is its use of double extortion, where stolen data is published and offered for sale to pressure victims into paying the ransom,” Guardicore said.

The post PLEASE_READ_ME: A Malwareless Ransomware Targeting MySQL Servers appeared first on CISO MAG | Cyber Security Magazine.

Is Password Spray Another Term for Brute Force Attack?

No, both are different. Although password spray is similar to a brute force attack, the striking difference between the two is that brute force is a precisely targeted attack. The threat actor(s) go after specific users and cycle through as many passwords as possible, either by using a commonly used passwords dictionary or by implying social engineering tactics. The latter involves thorough research of the targeted person to check if they can guess the user’s password from their social behavior and information.

In password spray attacks, threat actor(s) obtain a list of accounts of the targeted organization and attempt to sign-in into all of them in a single go using a small subset (only one or two passwords daily) of the most popular, or most likely, passwords until they get a positive hit.

Evolution of Password Spray Detection

Initially, Microsoft, in its Azure Active Directory (AD), used only an investigative approach, which was based on constant monitoring. It detected a single password being attempted against hundreds of thousands of usernames from multiple IPs across the globe and informed the respective organizations of a malicious attempt of breaking in. But now Microsoft has gone a notch higher and adopted a more heuristic approach based on the learnings from its previous model, which was almost 98% successful as per the tech giant.

Related News:

Microsoft Tops the Chart for Being Most Imitated Brand for Phishing Attacks

Microsoft said, “Our data scientists started researching the use of these patterns (the ones detected from the previous approach) and additional data to train a new supervised machine learning system. We incorporated IP reputation, unfamiliar sign-in properties, and other deviations in account behavior. The results of this research led to this month’s release of the new password spray risk detection. This new machine learning detection yields a 100% increase in recall over the heuristic algorithm described above meaning it detects twice the number of compromised accounts of the previous algorithm. It does this while maintaining the previous algorithm’s amazing 98% precision — meaning if this algorithm says an account fell to password spray, it’s almost certain that it did.”

This new detection will be available for Azure AD Identity Protection customers in their Identity Protection portal and APIs, respectively. The following screenshot provides a sample of the new risk detection:

Related News:

CISA Advises Enterprises to Patch Two Critical Microsoft Vulnerabilities

Microsoft Offers $100,000 Bounty to Hack Its Azure Sphere Linux IoT OS

The post Microsoft’s Shield Against Password Spray Attacks Just Went a Notch Higher appeared first on CISO MAG | Cyber Security Magazine.

Cathay Pacific Data Breach

Cathay Pacific collects and stores flyers’ data including their names, passport numbers, contact details, date of birth and nationalities for official use. Additionally, they also store information of its frequent flyer loyalty program that includes membership numbers, previous travel and customer support interaction information.

Cathay Pacific discovered the data breach in March 2018 when one of its database was targeted with a brute force attack. It immediately assigned a cybersecurity firm to investigate into the cyberattack. While investigating the root cause and the threat actors involved in the brute force attack, the cyber forensic experts subsequently unearthed a much greater data breach.

According to the ICO’s report, between October 15, 2014 and May 11, 2018, Cathay Pacific’s computer systems didn’t have adequate security measures. This led to the compromise of approximately 9.4 million worldwide customers’ personal details of which 111,578 were from the U.K.

The air carrier officially reported the data breach episode to the IOC only on October 25, 2018, after analyzing the compromised data and the extent of the breach. Meanwhile, it also set up customer care services and precise and accurate notifications for every individual telling them of exactly what data was leaked.

IOC’s Verdict

IOC said that the breach affected Cathay Pacific’s four databases: customer database, membership details database, web applications’ back-end database and transient database used by Asia Miles members for award points redemption. After analyzing all these breaches and their corresponding causes, the commissioner found Cathay Pacific violating the Data Protection Principle (DPP7) on multiple counts. These include unencrypted database backups, security patches were not applied to known server vulnerabilities, unrestricted admin-level access through public internet, an unsupported operating system on one of the compromised server/systems, lack of two-factor/multi-factor authentication (2FA/MFA), and inadequate penetration testing, among others.

Although the £500,000 (approximately US$640,000) is huge, the IOC has also suggested a 20% reduction in the total penalty amount which brings it down to £400,000 (approximately US$516,000) if Cathay Pacific pays the data breach fine latest by March 12, 2020.

The post UK ICO Fines Cathay Pacific with £500,000 for 2018 Data Breach appeared first on CISO MAG | Cyber Security Magazine.