Are cybercriminals hacking your systems – or just logging in?
Why break a door down and set the house alarm off when you have a key and a code to walk in silently? This is the rationale behind a trend in cybersecurity where adversaries are increasingly looking to steal passwords, and even authentication tokens and session cookies to bypass MFA codes so they can access networks by masquerading as legitimate users.
According to Verizon, “use of stolen credentials” has been one of the most popular methods for gaining initial access over recent years. The use of stolen credentials appeared in a third (32%) of data breaches last year, its report notes. However, while there are several ways threat actors can get hold of credentials, there are also plenty of opportunities to stop them.
Why credentials are ground zero for cyberattacks
According to one estimate, over 3.2 billion credentials were stolen from global businesses in 2024, a 33% annual increase. With the access these provide to corporate accounts, threat actors can effectively slip into the shadows while plotting their next move. This might involve some more advanced forms of criminal exploitation, for example:
- Conducting network reconnaissance: looking for data, assets and user permissions to go after next
- Escalating privileges, e.g. via vulnerability exploitation, in order to move laterally to reach those high-value data stores/systems
- Covertly establishing communications with a command-and-control (C2) server, to download additional malware from and exfiltrate data
By working through these steps, an adversary could also carry out highly successful ransomware and other campaigns.
How they get hold of passwords
Threat actors have developed various ways to compromise your employees’ corporate credentials or, in some cases, even their MFA codes. They include:
- Phishing: Emails or texts spoofed to appear as if sent from an official source (i.e., the IT department, or a tech supplier). The recipient will be encouraged to click on a malicious link taking them to a fake login page (i.e., Microsoft).
- Vishing: A variation on the phishing theme, but this time a victim receives a phone call from the threat actor. They may impersonate the IT helpdesk and request the victim hands over a password or enroll a new MFA device as part of some fictitious back story. Or they could call the helpdesk claiming to be an executive or employee who needs an urgent password reset to get their job done.
- Infostealers: Malware designed to harvest credentials and session cookies from the victim’s computer/device. It might arrive via a malicious phishing link/attachment, a compromised website, a booby-trapped mobile app, a social media scam or even an unofficial games mod. Infostealers are thought to have been responsible for 75% of compromised credentials last year.
- Brute-force attacks: These include credential stuffing, where adversaries try previously breached username/password combos against corporate sites and apps. Password spraying, meanwhile, leverages commonly used passwords across different sites. Automated bots help them to do so at scale, until one finally works.
- Third-party breaches: Adversaries compromise a supplier or partner which stores credentials for its clients, such as an MSP or a SaaS provider. Or they buy up troves of already breached login “combos” to use in subsequent attacks.
- MFA bypass: The techniques include SIM swapping, MFA prompt bombing that overwhelms the target with push notifications in order to cause “alert fatigue” and elicit a push approval, and Adversary-in-the-Middle (AitM) attacks where attackers insert themselves between a user and a legitimate authentication service to intercept MFA session tokens.
The past few years have been awash with real-world examples of password compromise leading to major security incidents. They include:
- Change Healthcare: In one of the most significant cyberattacks of 2024, the ransomware group ALPHV (BlackCat) crippled Change Healthcare, a major U.S. healthcare technology provider. The gang leveraged a set of stolen credentials to remotely access a server that did not have multifactor authentication (MFA) turned on. They then escalate their privileges and moved laterally within the systems and deployed ransomware, which ultimately led to an unprecedented disruption of the healthcare system and the theft of sensitive data on millions of Americans.
- Snowflake: Financially motivated threat actor UNC5537 gained access to the Snowflake customer database instances of multiple clients. Hundreds of millions of downstream customers were impacted by this massive data theft extortion campaign. The threat actor is thought to have accessed their environments via credentials previously stolen via infostealer malware.
Keep your eyes peeled
All of which makes it more important than ever to protect your employees’ passwords, make logins more secure, and monitor the IT environment more closely for the tell-tale signs of a breach.
Much of this can be achieved by following a Zero Trust approach based around the tenet: never trust, always verify. It means adopting risk-based authentication at the “perimeter” and then at various stages within a segmented network. Users and devices should be assessed and scored based on their risk profile, which can be calculated from time and location of login, device type, and session behavior. To bolster your organization’s protection from unauthorized access and to ensure compliance with regulations, rock-solid multi-factor authentication (MFA) is also a non-negotiable line of defense.
You should complement this approach with updated training and awareness programs for employees, including real-world simulations using the latest social engineering techniques. Strict policies and tools preventing users from visiting risky sites (where infostealers might lurk) are also important, as is security software on all servers, endpoints and other devices, and continuous monitoring tools to spot suspicious behavior. The latter will help you to detect adversaries that may be inside your network courtesy of a compromised credential. Indeed, organizations also need to have a way of reducing the damage a compromised account can do, for example by following the principle of least privilege. Finally, dark web monitoring can help you check if any enterprise credentials are up for sale on the cybercrime underground.
More broadly, consider enlisting the help of an expert third party via a managed detection and response (MDR) service. especially if your company is short on resources. In addition to lower total cost of ownership, a reputable MDR provider brings subject-matter expertise, round-the-clock monitoring and threat hunting, and access to analysts who understand the nuances of credential-based intrusions and can also accelerate incident response if compromised accounts are detected.
