Future of Work News Free eNews Subscription

SpyCloud Finds Worrying Shift in Exposed Credentials Trend

By

Credentials remain a significant concern in cybersecurity incidents because cybercriminals (with compromised credentials) typically use a tactic called credential stuffing to use a username and password combination to hack into other accounts. The Verizon 2022 Data Breach Investigations Report calls credentials one of the four paths “to your real estate” and says they are responsible for 45% of non-error, non-misuse breaches.

However, there is a worrying shift in the trend of exposed credentials as threat actors move away from traditional account takeover methods and are gaining entry with other forms of authentication data stolen directly from user devices and browsers infected with infostealers.

In fact, 721.5 million exposed credentials were recovered from the criminal underground in 2022, with 48.5% coming from botnet logs, according to a SpyCloud's 2023 Annual Identity Exposure Report. Today, botnets are commonly used for deploying infostealer-specific malware at a larger scale.

But what are infostealers, and why are they a concern?

Infostealers are malware designed to stealthily siphon data (including credentials, browser session cookies and other sensitive information) that can be used to impersonate a user identity, according to the SpyCloud report. Infostealers are relatively cheap for criminal actors to buy, and many are designed to avoid detection by anti-malware solutions and leave no trace of infection.

The siphoned credentials are accurate and valid, making them particularly attractive to cybercriminals as they can bypass MFA without friction. This means that the stolen data leads to additional attacks and causes significant harm.

Despite attempts by enterprises to enhance user awareness training programs, password reuse rates remain high and malware-infected devices continue to be significant risk factors. This is concerning because the combination of high password reuse rates and malware-infected devices increases the risk of identity exposure for consumers and organizations, according to the report. It must remain a top-of-mind point to address for all levels of organizations concerned about potential follow-on attacks like ransomware.

Moreover, the risk for enterprises increases significantly when an employee's session cookies are siphoned by malware, giving cybercriminals the ability to log into corporate applications, bypassing MFA and negating the need for passwords in the first place.

“The pervasive use of infostealers is a dangerous trend because these attacks open the door for bad actors like Initial Access Brokers, who sell malware logs containing accurate authentication data to ransomware syndicates and other criminals,” said Trevor Hilligoss, Director of Security Research at SpyCloud. “Infostealers are easy, cheap and scalable, creating a thriving underground economy with an ‘anything-as-a-service’ model to enable cybercrime. This broker-operator partnership is a lucrative business with a relatively low cost of entry.”

As the associated data exfiltrated by infostealer malware becomes more ubiquitous, the follow-on path into organizations is much easier for actors to access. With the growing popularity of malware-as-a-service models, the data siphoned in this manner is expected to grow in abundance.

Hilligoss says everyone needs to think about protecting digital identities by using a Post-Infection Remediation (PIR) approach. PIR, SpyCloud’s new and critical addition to its malware infection response, is a framework designed to negate opportunities for ransomware and other critical threats by resetting the application credentials and invalidating session cookies siphoned by infostealer malware.

“Taking action on exposed employee data before it can be used by criminals is paramount to preventing account takeover, fraud, ransomware and other forms of cybercrime,” said Hilligoss.




Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Future of Work Contributor

SHARE THIS ARTICLE

Related Articles

Future of Work Expo 2025: UCaaS Drives the Future of Work

By: Greg Tavarez    2/12/2025

At Future of Work Expo 2025, part of the #TECHSUPERSHOW, a panel session, "Why UCaaS Is the Future of Work," explained why UCaaS is so central for the…

READ MORE

Is the Future of Work Powered by AI? Find Out at Future of Work Expo 2025

By: Alex Passett    2/11/2025

Future of Work Expo 2025 began today at the Broward County Convention Center in Fort Lauderdale, Florida. This story shares some details from the Futu…

READ MORE

Cybersecurity and Privacy Discussed at Future of Work Expo 2025

By: Greg Tavarez    2/11/2025

The flow of sensitive information, both within and outside organizations, is becoming harder to control.

READ MORE

Unified Office Announces Significant Expansion of its TCNIQ AI Analytics Suite of Products at Future of Work Expo 2025

By: TMCnet News    2/11/2025

Leading communications technology company Unified Office announced today the official expansion of its TCNIQTM AI-based business analytics suite of pr…

READ MORE

Small Meeting Rooms Revamped Thanks to Future of Work Expo and Future of CX Expo Platinum Sponsor Jabra

By: Greg Tavarez    2/7/2025

The PanaCast 40 VBS is designed to enhance small meeting spaces with cutting-edge technology and user-friendly features.

READ MORE