Credentials remain a significant concern in cybersecurity incidents because cybercriminals (with compromised credentials) typically use a tactic called credential stuffing to use a username and password combination to hack into other accounts. The Verizon 2022 Data Breach Investigations Report calls credentials one of the four paths “to your real estate” and says they are responsible for 45% of non-error, non-misuse breaches.
However, there is a worrying shift in the trend of exposed credentials as threat actors move away from traditional account takeover methods and are gaining entry with other forms of authentication data stolen directly from user devices and browsers infected with infostealers.
In fact, 721.5 million exposed credentials were recovered from the criminal underground in 2022, with 48.5% coming from botnet logs, according to a SpyCloud's 2023 Annual Identity Exposure Report. Today, botnets are commonly used for deploying infostealer-specific malware at a larger scale.
But what are infostealers, and why are they a concern?
Infostealers are malware designed to stealthily siphon data (including credentials, browser session cookies and other sensitive information) that can be used to impersonate a user identity, according to the SpyCloud report. Infostealers are relatively cheap for criminal actors to buy, and many are designed to avoid detection by anti-malware solutions and leave no trace of infection.
The siphoned credentials are accurate and valid, making them particularly attractive to cybercriminals as they can bypass MFA without friction. This means that the stolen data leads to additional attacks and causes significant harm.
Despite attempts by enterprises to enhance user awareness training programs, password reuse rates remain high and malware-infected devices continue to be significant risk factors. This is concerning because the combination of high password reuse rates and malware-infected devices increases the risk of identity exposure for consumers and organizations, according to the report. It must remain a top-of-mind point to address for all levels of organizations concerned about potential follow-on attacks like ransomware.
Moreover, the risk for enterprises increases significantly when an employee's session cookies are siphoned by malware, giving cybercriminals the ability to log into corporate applications, bypassing MFA and negating the need for passwords in the first place.
“The pervasive use of infostealers is a dangerous trend because these attacks open the door for bad actors like Initial Access Brokers, who sell malware logs containing accurate authentication data to ransomware syndicates and other criminals,” said Trevor Hilligoss, Director of Security Research at SpyCloud. “Infostealers are easy, cheap and scalable, creating a thriving underground economy with an ‘anything-as-a-service’ model to enable cybercrime. This broker-operator partnership is a lucrative business with a relatively low cost of entry.”
As the associated data exfiltrated by infostealer malware becomes more ubiquitous, the follow-on path into organizations is much easier for actors to access. With the growing popularity of malware-as-a-service models, the data siphoned in this manner is expected to grow in abundance.
Hilligoss says everyone needs to think about protecting digital identities by using a Post-Infection Remediation (PIR) approach. PIR, SpyCloud’s new and critical addition to its malware infection response, is a framework designed to negate opportunities for ransomware and other critical threats by resetting the application credentials and invalidating session cookies siphoned by infostealer malware.
“Taking action on exposed employee data before it can be used by criminals is paramount to preventing account takeover, fraud, ransomware and other forms of cybercrime,” said Hilligoss.
Edited by Alex Passett