Credential-Based Attack

What is a Credential-Based Attack?

According to Palo Alto Networks , Credential based attacks occur when attackers steal credentials to gain access, bypass an organization’s security measures, and steal critical data. Credential theft, the first stage of a credential-based attack, is the process of stealing credentials. Credential theft is clearly still a problem. Even after years of warnings, changing password requirements, and multiple forms of authentication,?password?stealing remains a top attack method used by cybercriminals. The latest?report?from the Ponemon Institute shares that 54% of security incidents were caused by credential theft, followed by ransomware and DDoS attacks. 59% of organizations are not revoking credentials that are no longer needed, meaning passwords can go unattended and dormant like a sitting duck (similar to what happened with Colonial Pipeline). Verizon 's Data Breach Investigations report?cites that nearly 50% of all data breaches were caused by stolen credentials. A stolen employee credential was reportedly used in breaching 思科 's network by the Yanluowang gang.

How does it happen?

Attackers commonly use phishing for credential theft, as it is a fairly cheap and extremely efficient tactic. The effectiveness of credential phishing relies on human interaction in an attempt to deceive employees, unlike malware and exploits, which rely on weaknesses in security defenses. Cybercriminals use social media to identify victims and steal their personal information. Some attackers use social media for reconnaissance before planning an attack. According to BleepingComputer , The Yanluowang threat actors gained access to Cisco's network using an employee's stolen credentials after hijacking the employee's personal Google account containing credentials synced from their browser. The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations. MFA fatigue is an attack tactic where threat actors send a constant stream of multi-factor authentication requests to annoy a target in the hopes that they will finally accept one to stop them from being generated. The threat actors finally tricked the victim?into accepting one of the MFA notifications and?gained access to the VPN in the context of the targeted user.

How do you protect yourself?

• Regularly change your passwords. The longer one password goes unchanged, the more likely it is that a hacker will find a way to crack it.
• Train your users to identify the different credential harvesting methods. This will reduce their chances of them falling for the cybercriminals’ tricks.
• Implement multi-factor authentication (MFA). Some of your users may have a lapse in judgment. If they give away their credentials, MFA will reduce the risk of cybercriminals using this info.
• Switch mobile-based MFA with key fobs. Cybercriminals can clone your mobile devices, and secure SMS will not help if the attacker is nearby. Conversely, key fobs have no wireless elements, so they are impossible to replicate.