In many cases, long before a credential breach was known, threat actors were already using stolen username and passwords in different ways, a new study found.
F5 Networks recently analyzed open source information about Credential Spill incidents over the past few years and found that stolen credentials go through five different stages of abuse, from the moment an attacker first acquires the credentials until they are then disseminated to other threat actors. The company’s analysis found that it takes half of all companies around 120 days – or four months – to discover a breach of their credentials. And even then, only after a third party has informed them that their data has been discovered on the dark web.
F5 researchers found that a lot usually happens to the credentials in the meantime. In the first phase, in the immediate days and weeks following a credential breach, the criminals responsible for the data theft tend to steal and purposefully use the stolen information, says Sander Vinberg, evangelist for threat research at F5.
The focus is often on using the credentials to try to establish persistence on a network, or to try to take over key accounts, conduct explorations, and gather any additional information they can. “They monetize the data, but they monetize it very carefully and with clear goals.” Then the potential for long-term damage is greatest, says Vinberg.
The second phase begins when the original attackers start sharing the stolen credentials with others in the community. As the data in the dark web becomes more and more available, attacks with credential stuffing are increasing sharply. The increased activity usually only lasts about a month as it usually leads to the identity theft being discovered.
As the news of the breach spreads and users begin changing their passwords in Stage Three, script kiddies and other amateur threat actors are rushing to use the stolen username-password pairs for credential attacks on large web properties to use. “This is the phase in which the greatest economic damage is done,” says Vinberg. “The greatest risk for companies are regulatory and financial sanctions.”
In the fourth phase, the stolen credentials no longer have a premium value, but are still used for attacks at a higher rate than in the first phase. The fifth phase is for attackers to repackage spilled credentials and try to keep using them.
As part of his research, F5 performed a historical analysis using data from a large set of spilled credentials that were offered for sale on a dark web forum in early 2019. F5 researchers compared the credentials in this dataset to usernames used in credential stuffing attacks against four of its Fortune 500 customers, including two banks, one a retailer, and the other a food and beverage company.
F5’s analysis showed that when attackers first had access to a buried credential, they used it an average of 15 to 20 times per day in attacks against the four organizations. In the third stage, the credentials were used up to 130 times per day, and in the fourth stage they had dropped back to about 28 times per day. “The overall conclusion is that credential stuffing is a very big problem,” says Vinberg. “It manifests in different ways, but at this stage no one can afford to downplay the risk it poses.”
A widely recognized problem
Several others have also documented the growing threat of credential stuffing attacks – especially in the months since the global COVID-19 pandemic began. In a study published last November, Arkose Labs researchers found that of the 1.3 billion attempted fraud attacks they observed in the third quarter of 2020, approximately 770 million involved credential padding techniques. Another study by Digital Shadows found that more than 15 billion stolen or otherwise disclosed credentials are available for sale in dark web markets. The company found credentials for everything from domain administrator accounts to bank accounts, adult site logins, and video game and video streaming accounts, priced from a few thousand dollars to around $ 2 for access to file sharing sites.
One bright spot the F5 study uncovered was a steady decline in the average and average number of credentials exposed per incident compared to 2016. Although the total number of credential breach incidents more than doubled – from 51 in 2016 The number of records per incident fell from over 63.4 million to around 17 million – up to 117 last year. If mega-violations were excluded from the calculation, typical incidents with the compromise of access data in 2020 affected around 2 million records compared to 2.7 million in 2016.
Vinberg says the data suggests that the largest organizations – those with the greatest number of credentials – have gotten better at protecting their data. “Huge security breaches are becoming less common, but medium-sized businesses are still being breached,” he notes.
F5’s data shows that poor password protection practices continue to be a large part of the problem. Approximately 13.3% of credential compromise incidents and more than 42% of credentials disclosed between 2018 and 2020 involved passwords stored in clear text. When businesses tried to protect passwords, they often used MD5 hashes, a method that F5 describes as widely discredited.