You’ve no doubt heard the phrase, “Attackers don’t hack anyone these days. They log on.”
By obtaining (or stealing) valid user account details, an attacker can gain access to a system, remain hidden, and then elevate their privileges to “log in” to more areas of the network.
Unfortunately, the use of valid accounts is prevalent across the threat landscape. It was the second-most common MITRE ATT&CK technique that Talos observed in our threat telemetry in 2023. 26% of all Cisco Talos Incident Response engagements last year involved the use of valid accounts.
In figures from Incident Response engagements from the fourth quarter of 2023 , the top means of gaining initial access was a tie between the use of compromised credentials on valid accounts and exploiting public-facing web applications. 36% of malicious tooling was also focused on accessing and collecting credentials. You can read more about this in our Incident Response Quarterly Trends report.
The pervasiveness of these types of attacks is driven by a few key reasons:
- Most companies think that cyber attacks will come from “the outside in.”
Attacks that use valid accounts to log on take more of an “inside-out” approach. Once the initial access is gained, they are stealthily inside the network and there is more of a chance that the attacker will evade detection as they are trying to move laterally. Especially if the network is unsegmented. Long story short — exploiting a vulnerability can certainly lead to initial access, but authorized credentials help the adversary navigate laterally under the radar.
- Stolen credentials are for sale on the dark web.
Effectively, some threat actors are in the market of stealing credentials simply to sell them to the highest bidder. Actors who purchase them may well use them for a larger targeted ransomware campaign and/or for espionage purposes. For account details that come with high privileges (for example, those who work in finance or have access to networking devices), the bigger the price.
- Attackers are following the trends of how we work today.
We’re accessing more systems remotely, we’re accessing company systems on our own devices, and cloud solutions are becoming increasingly commonplace. From a threat actor perspective, their mindset is shifting. “Why force my way into a system when I can just log in?”
Speaking to those remote working trends, across the broader Cisco organization, we now see 1.5 billion multi-factor authentication requests every month (via Cisco Duo). For each authentication request, Duo evaluates what is a request from a trusted user, compared to a bad request from an attacker.
The lack of MFA (or poorly installed MFA) is frequently the No. 1 security weakness in our Talos Incident Response Quarterly Trends report (as was the case in Q4 2023). According to Oort, whom Cisco acquired in 2023, 40% of enterprise customers have no MFA, or use weak MFA (for example, clear text SMS). This appears to be contributing to the challenge of bad actors using valid accounts as a key initial access tactic.
So how are attackers effectively ‘logging on’ with valid account credentials? Here are some tactics that we frequently encounter within Talos threat telemetry and Incident Response engagements:
Credentials stolen from password stores
Stolen credentials from password stores took the No. 4 spot in the top 20 list of the most common MITRE ATT&CK techniques Talos saw in 2023. This is when users store passwords on various applications or web browsers. Adversaries search across common password storage locations to look for passwords that have been stored there. This technique has been used by threat actors for many years, but the rate at which this is still happening highlights the need for why organizations and individuals should be using password managers and not the built-in ones in web browsers.
Credentials stolen from fake login portals via phishing campaigns
Attackers will often try and replicate common login portals, such as Microsoft Office 365, and may send the user a phishing email asking them to log in due to some issue with their account. On the surface, the web page looks legitimate, but it’s a fake copy with malicious software behind it which is designed to capture user account details.
Input capture
Input capture was seventh on the top 20 MITRE ATT&CK list. This is a technique where threat actors will deploy methods to capture login data that is inputted by the user. The most prevalent type of input capture is keylogging, where adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging usually occurs after a user is the unwitting victim of stolen credentials via a phishing campaign or other means of access.
Stealing or Forging Kerberos Tickets
The stealing of Kerberos tickets was the ninth most common MITRE ATT&CK technique Talos observed in 2023. Kerberos is a network authentication protocol that authenticates service requests and grants a ticket for a secure connection. In the case of bad actors, they will try and steal these tickets (or forge them) to enable unauthorized access.
Targeting dormant accounts
According to Oort data from 2022, dormant accounts represent almost a quarter of the average company’s total accounts, and these accounts are regularly targeted (over 500 times per month on average). Attackers will look for accounts that are not used regularly but still have network access (for example, an employee or a temporary contractor who left the company, but their access was never removed).
Infostealers
Infostealers, or information-stealing malware, appear frequently in Talos IR engagements. Infostealers can be used to gain access to any kind of sensitive information including financial details and even intellectual property. Most commonly, we see infostealers being used to access and collect user credentials.
Brute force attacks
If an attacker has part of the login details, they may try brute force techniques to try and repetitively guess the password. These may not necessarily be entirely random guesses, as attackers may use knowledge that has been gained from other attacks or leaks, such as the ones listed above. This highlights the need for organizations to limit the amount of consecutive failed logon attempts.
Password spraying
Password spraying is a specific kind of brute force attack, but instead of brute forcing a password on a single system, the actors will use passwords from information leaks. They will try them on popular web services in the hope that users will reuse their passwords. This highly reduces the chance of detection and password blocking.
QR code phishing
According to public reporting, there has been a recent rise in QR code phishing to gain user credentials. The Cisco Talos Incident Response team were recently called in to help with a such an incident where credentials were stolen. A phishing email was sent to the company email of several employees and the email contained a PDF with a malicious QR code. Some employees used their smartphone to scan the code which paved the way for the attacker to gain their credentials and log in to the organisation’s system. The exact reason as to why the attacker was able to obtain the credentials is unknown due to a lack of logs in the smartphone, but one reason could be that passwords were saved in an unpatched browser.
Going after the users
Some of the above techniques can be addressed by defender tools and configurations within the organization’s network environment which allow for the detection of unauthorized access. But since there are many identity-type attacks that seek to manipulate or coerce the user themselves, we also need to talk about how users are being targeted today.
I asked Talos’ Head of Outreach Nick Biasini about what his main recommendations were for the coming year. He spoke about the increased targeting of users and how adversaries are getting more relentless in their attempts to gain valid credential-based access to a system.
He mentioned that whilst the malware itself used to gain these credentials won’t necessarily be very sophisticated, it is more about the intensity of the attacks. Here’s his insights in full:
Phishing emails are one of the most common ways adversaries compromise victims (it was No. 3 in Talos’ list of initial access vectors for 2023 and has consistently been a top-ranked threat in Talos Incident Response findings for years). In the last year alone, 25% of the initial access vectors identified in Talos Incident Response engagements were comprised of phishing. This observation is consistent with U.S. government findings, with the FBI noting that phishing was the top incident reported to its Internet Crime Complaint Center (IC3) in 2022.
Most people think of phishing/social engineering as clicking on a malicious link and triggering malware. But there are deeper aspects to these attacks that can involve the manipulation of users to do bidding on behalf of threat actors. These are known as insider attacks.
Insider attacks
We still see cases of the traditional malicious insiders i.e. employees who deliberately want to cause damage to their organization’s network, either for financial gain, or frustrations with the organization itself. But increasingly we are seeing another category of insider attacks – the “unwitting assets.”
In the case of the unwitting asset, threat actors use social engineering to leverage the user to act on their behalf, typically through some form of manipulation.
A common example is when an adversary concocts a story that implicates the user in some way, or there’s a problem that needs solving quickly. Adversaries, especially more sophisticated ones, will often ask for the target to get on a phone call to discuss the issue further.
Once the attacker has someone on the phone, they unfortunately stand more of a chance of persuading the user to do the adversary’s bidding. This could include logging into devices and reconfiguring something or revealing important account details.
Recommendations
Identity related attacks are challenging to defend against. You’re dealing with the misuse of valid credentials. Finding the genuine source of them is especially difficult if users are being coerced to share their account details or conduct malicious activities. However, there are some practices we recommend that can help:
- Limit the amount of access a user has – no more than is required for them to perform their job.
- Limit the amount of consecutive failed login attempts to prevent possible brute force access.
- Ensure you are using MFA across your network.
- For IT administrators, ensure you are set up to inspect laterally across the network. Not just inspecting traffic going north/south. This will help prevent attackers who are trying to move laterally.
- Have a defense-in-depth approach, so that if a portion of your defense fails, other defenses can detect anomalies and intrusions.
- Conduct routine auditing and ensure dormant accounts are deleted from the network. This will help prevent attackers using dormant accounts to try to gain access undetected. It’s also common for accounts to be set up to test new systems, so ensure these test accounts are only temporary. Set up an automated procedure for test accounts to be disabled at the end of the project.
- Additionally, disable the accounts of those who have left your organization and ensure you remove their remote access (i.e., through the VPN).
- Have a checks and balances system in place for dealing with financial transactions so that no single person can initiate and complete a wire transfer without additional approval. This can help mitigate social engineering attacks against users who deal with payments.
- Addressing the abuse of valid credentials involves a comprehensive set of security measures. Consider a zero-trust architecture approach which validates every user connection to every device and every application. This will help prevent threat actors operating under the radar and across your network with stolen credentials.
And finally, we would recommend organizations to consider actively hunting for evidence of incursion. As well as finding possible breaches, you may also detect areas where your overall network security could be improved. You can read more about this in our blog “Beyond the basics: Implementing an active defense.”