Nobody loves cheap and easy things more than cybercriminals. And few things are as abundant and easy to use as stolen emails and passwords (or password hashes). Over the last 5 years, 11.7 billion credentials have been leaked across the Internet, 61% of breaches involve leaked credentials. and the effects of credential theft spill well beyond a single account—as 65% of users reuse passwords across sites.
Leaked credentials are the easiest attack vector into companies for cybercriminals. They use leaked or stolen credentials to log in to corporate accounts and systems, subverting security through stolen trust. From that initial point of access criminals have a number of options at their disposal from stealing information directly, to launching business email compromise, to exploiting vulnerabilities for privilege escalation.
How Do Cybercriminals Acquire and Use Credentials?
User names—which are often email addresses—and passwords can be stolen or bought by criminals. Criminals often specialize, with one group stealing and packaging credentials, another group using those credentials to establish access, and a third group buying access to plant malware like ransomware. The mechanism for theft varies, from spam email that encourages you to enter your credentials into a fraudulent website to attacks against companies with large user bases to specifically steal credentials.
Once credentials are leaked or stolen they invariably end up on the criminal underground, on Tor-enabled forums, and marketplaces on the dark web. Leaked credentials are cheap—often selling for pennies each.
Occasionally, passwords may be in plaintext meaning they are human-readable) but often the credentials stolen are hashed using algorithms with names like MD5 or SHA1. These hashed passwords, or hashes, change a password like “password123” into “775b2f275712ce8a14ae47e0a8ed3174d4053666” so that the company should never have the actual password, and the hash doesn’t tell you what the password is. Unfortunately, criminals found a creative way around this. Criminals have access to a vast number of credentials used on so many sites—literally billions—they are able to create rainbow tables of which passwords map to which hashes, making it easy to attain the underlying credentials and sell them on dark web markets.
How Do I Combat Leaked Credentials?
Leaked credentials can be difficult to discover due to the fact that cybercriminals trade them on the dark web and other underground channels, well outside the traditional visibility of many organizations. Even if you have access to criminal dark web forums, you may not be able to harvest and process the credentials which affect your organization. And taking action on discovered credentials is easier said than done thanks to large and messy data sets and varying internal requirements.
Not all is lost. Organizations can use intelligence to identify leaked credentials affecting your organization, process credentials to determine the risk to your business, and remediate the risk from this type of malicious access. Additionally, if you discover systems where the credentials were used fraudulently, you can use intelligence to assist your investigations and remediate the problems.
Identifying leaked credentials is the first challenge. Leaked credentials appear on dark web credentials databases for private sale, in large aggregated databases, and on open sites such as code paste sites. Leaked credentials have a relatively limited timeframe where they have immediate value, so those credentials can be advertised and sold on private forums. Criminals may advertise access to certain organizations or industry sectors, and rely on buyers to approach before confirming specific targets.
Additionally, the credentials are not sold with any warrant, so the credentials may occasionally be a combination of newer and older credentials from previous public breaches. Occasionally, larger credential databases are made available on dark web forums and marketplaces, at charge or even for free. Often these are stale credentials that are published publicly with the intent of making tracking or law enforcement actions more challenging. Finally, leaked credentials can appear on open web code sharing paste sites, for similar purposes. Either way, your organization needs to identify these credentials and check for relevancy.
After you have identified a leaked credential, you need to check to see if it is active. Smaller organizations, this may be an easier process, but for even medium-sized companies identifying whether credentials are active can be more challenging. In a previous blog, we covered how to triage leaked credentials. In summary, a good remediation process includes four steps:
- Identify leaked credentials that include a password.
- Check the password for adherence to your company password policy.
- If it does meet company policy, check internal resources to see if the email address is still active.
- Check if the same email address and password have been identified in the past.
If these steps are all confirmed, then the security team needs to issue a password reset, check for recent suspicious activity, and record metrics.
Credentials can have passwords in plaintext, which allows security teams to identify if that password is live on your network, or even to check if the password meets your organization’s rules for password complexity. If the leaked credential contains file hashes, this can disrupt the remediation process. For example, if your discovered credential has a password hash, it may be challenging to identify if the password meets your organization’s requirements for password complexity.
One step that is not frequently covered is the role of security intelligence teams in building a database of previously exposed leaked credentials. Many leaked credentials originate from older breaches, some several years old. While there are many public repositories for current and historic information on leaked credentials, organizations should create a specific database of identified/remediated leaked credentials to help identify specific credentials affecting their organization and help determine if a particular leaked credential has already been remediated.
If a leaked credential is identified, a typical step is identifying if the user is an active user in the network directory. If the user is an active user, security can reach out to the user and instruct them to change their passwords, or even force reset the user’s credentials on the organization’s environment.
At scale, it can be useful to determine if compromised passwords or hashes are active anywhere in the environment. There are methods for conducting this analysis, for example, with Windows PowerShell modules like DSInternals, but can be more complicated to configure. Still, scanning your enterprise for leaked credentials in use can help secure your organization.
In summary, identifying and stopping leaked credentials can help keep your network secure against threats you see in the news, even ransomware threats.