Plaintext: Credentials Here, Credentials There

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Ghost Security . In this issue of Plaintext, we look at breaches involving stolen credentials and the kind of damage they can cause. It seems like every attack or breach nowadays involve some kind of credential theft. We also consider the challenges SMBs have trying to find software that is both secure and functional. If you enjoy Plaintext, please share with friends and colleagues !

Stolen Credentials Leaking, They Are Everywhere. Adversaries aren't going to worry about expensive hacking tools or complicated attack methods if they can just find passwords and access keys to just waltz right in. And right now, there are many, many, ways for attackers to get their hands on these credentials. A Russian advanced persistent threat group is phishing Windows credentials from government, military, and private sector targets in Ukraine. Earlier this week, Symantec revealed that several widely used Android and iPhone apps included hardcoded credentials to cloud services (either Amazon Web Serivces or Microsoft Azure Blog Storage) within their code. Anyone with access to the app's binary or source code could potentially extract credentials and misuse them, Symantec noted.

The "EmerarldWhale" operation stole credentials belonging to cloud services and email providers by targeting exposed git configurations, according to Sysdig . These tokens were then used to download GitHub, GitLab, and BitBucket repositories, which are then scanned for more credentials. It appears the operation was collecting the information — credentials for more than 10,000 private repositories — to use in spam and phishing campaigns. The "underground market for credentials is booming, especially for cloud services," the research team wrote in the report . The ironic element of this story is that the researchers found these credentials exposed on a publicly accessible Amazon Web Services S3 bucket. Even adversaries can misconfigure cloud systems and leak sensitive data , it seems.

"This attack shows that secret management alone is not enough to secure an environment. There are just too many places credentials could leak from." Miguel Hernández, Sysdig

Datadog's 2024 State of Cloud Security report found that long-lived credentials, or authentication tokens or keys in the cloud that remain for a long period of time (or never expire), are widespread across all major cloud services. When they are leaked, they give access to images, build logs, and application artifacts, becoming major security risks.

Credential harvesting attacks are becoming so common because attackers are able to steal or collect credentials without much effort, said Miguel Hernández, a threat research engineer at Sysdig. Automated scripts and freely available tools means this kind of operation poses low risks to the attacker. And it is a "fast income" since the attacker can just sell the keys in packages or individually across multiple marketplaces, Hernández said.

Dark Reading in Plaintext is brought to you by Ghost Security

Reaper by Ghost: Built by Humans, Designed for AI Security

Reaper leverages Agentic AI to intelligently test your apps and APIs, saving time and improving security coverage. Download Reaper today and experience Ghost Security’s autonomous AppSec solution !

Cybersecurity Gaps Different for SMB. Small-to-midsized businesses have it rough on the cybersecurity front. Their size doesn't protect them from cyberattacks: Orange Cyberdefense 's Cy-Xplorer 2024 report from this summer found that companies employing less than 1000 people suffered cyber-extortion attacks 4.2 times more often than larger enterprises. Recent Sophos research found SMB is the segment most likely to have data encrypted in a ransomware attack, with 74% of incidents resulting in data encryption. According to 埃森哲 's Cost of Cybercrime study last year, 43% of cyberattacks were aimed at small businesses, but only 14% are considered to be prepared, aware, and capable of defending their networks and data.

Part of the challenge is that SMBs don't have the resources to have a dedicated security staff, or to pay for the more expensive tiers for cloud services that come with security features . This is why secure products by default is so important. The folks at Zatik Security have a really interesting series right now where the team reviews the security features available in popular SaaS applications used by the SMB. So far, the team has reviewed password managers and also looked at meeting scheduling applications . The goal of these reviews is to help SMBs make "informed choices that balance functionality and safety," according to the company. Software makers and service providers need to offer effective security features on every tier of service so that there isn't a security gap between those who can afford to buy and those who cannot.

What We Are Reading

• [Ghost Security] See Reaper in Action: Ghost's AI-Driven AppSec Testing Tool
• Digging into the Sophos-SecureWorks Deal : Building Advanced MDR, XDR Platform
• Breaking Barriers: Making Cybersecurity Accessible for Neurodiverse Professionals
• Mozilla Says ChatGPT Can Be Manipulated Using Hex Code
• From Martha Heller , How to Find the Right CISO

What We Heard On-Air

Tune in to our on-demand webinar?“Making Orchestration Work for Your Enterprise .”

“Orchestration is the creation of a playbook — a process — that would be manually executed by an operator, but automated to trigger those playbooks.” —Tom Parker

From Our Library

Check out some of the latest reports from our?Dark Reading Library .

• [Ghost Security ] Get Started with Reaper: Ghost Security's OSS AppSec Tool
• Dark Reading Reports: State of Vulnerability Management in the Enterprise
• Dark Reading Reports: State of Artificial Intelligence and Machine Learning in Cybersecurity
• Tech Insight: Digging Out of Your Organization's Technical Debt
• Tech Insight: Managing Third-Party Risk Through Situational Awareness

On That Note

Have you submitted your caption for this month's Dark Reading Name that Toon Contest? Come up with a cybersecurity-related caption for a chance to win $25! Submission details here .

Dark Reading in Plaintext is brought to you by Ghost Security