Endpoint

4/26/2016
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Verizon DBIR: Over Half Of Data Breaches Exploited Legitimate Passwords In 2015

Financial sector suffered the most breaches last year, followed by the accommodation/hotel sector.

Web attacks surged, financial gain reigned as a motive, and mobile and IoT remained a non-factor in real-world attacks last year.

Legitimate user credentials were used in most data breaches, with some 63% of them using weak, default, or stolen passwords, according to the new 2016 Verizon Data Breach Investigations Report (DBIR), which publishes tomorrow. While widespread abuse of legitimate user credentials by bad guys is really no surprise, such a high percentage of cases was startling, according to Marc Spitler, senior manager at Verizon Security Research, and co-author of the report. 

“I knew credentials were a thing, obviously. What I wouldn’t have thought was that over half [of breaches] involved credentials,” Spitler says. “I knew it was a significant issue and knew we wanted to talk about it in the report, but I didn’t quite know it would be that high.”

Stolen credentials top the list of threat action types among attacks that used legitimate credentials, followed by malware, phishing, and keyloggers. Incident and breach data from victims of the pervasive and stubborn Dridex banking Trojan contributed to the findings on stolen credential use, according to the new Verizon report, which drew from more than 64,000 security incidents worldwide in 2015, 2,260 of which were actual data breaches. 

In addition to Verizon’s own incident response investigation data, some 65 organizations, including law enforcement agencies, the US Department of Homeland Security, and numerous security vendors, contributed incident and breach data for the report, including several involved in the Dridex botnet takedown in October of last year.

Web application attacks increased 33% in 2015 compared with 2014, and in 95% of these breaches, it was all in the name of financial gain. Web attacks rose this year to 82% -- from 31% last year -- against financial services firms, who along with information and retail industries, were hit most by these types of attacks, of which the report recorded 5,334 total incidents, 908 of which were data breaches.

Source: Verizon
Source: Verizon

Dridex, which was disrupted by US and UK authorities last year but began to resurface in new campaigns a few weeks later, again played a role here: “The breaches within this pattern are heavily influenced by information gathered by contributors involved in the Dridex botnet takedown. Hundreds of breaches involving social attacks on customers, followed by the Dridex malware and subsequent use of credentials captured by keyloggers, dominate the actions” against websites, the report says.

Dridex also caused crimeware activity to drop in favor of the use of stolen credentials from the infamous Trojan.

No ‘Killer’ IoT, Mobile

And once again, there was no sign of mobile devices becoming the next big attack vector amid the security incidents and data breaches analyzed in the report. Verizon in last year’s DBIR concluded that mobile devices were a nonfactor in 2014 real-world attacks, with only about 100 smartphones per week out of tens of millions of devices were getting infected, for a 0.68% infection rate, and mostly with adware or other relatively benign infections.

The story was much the same in 2015. Despite all of the vulnerabilities and the hype surrounding the dangers to enterprises of Internet of Things (IoT) things and constant barrage of bugs in popular mobile devices such as Apple iOS and Android, these devices have yet to prove to be widely exploited as attack vectors. So neither mobile nor IoT even made the DBIR report this year.

“We’re still not seeing it,” Verizon’s Spitler says. “There’s nothing there from our incident or breach corpus this year to do any other research around it. Inevitably, somebody will tell us we were wrong, but we tell the story of the data. The data is the data.”

“We’re not saying don’t worry about this [mobile or IoT],” Spitler says. “This is something you need as part of risk management program.”

Here’s what the Verizon DBIR said about the lack of IoT and mobile-borne attacks in 2015: “For those looking for proclamations about this being the year that mobile attacks bring us to our knees or that the Internet of Things (IoT) is coming to kill us all, you will be disappointed. We still do not have significant real-world data on these technologies as the vector of attack on organizations.”

Who Got Hit Most

Financial firms were hit with the most data breaches last year, with some 795 breaches, followed by the accommodation/hotel sector (282), information sector (194), public sector (193), retail (137), and healthcare (115). The decline in big-box retail hacks syncs with many retailers starting to beef up transaction security, including their point-of-sale (PoS) systems. Hotels, meanwhile, have been the new target for cybercriminals in the past year.

Attackers getting faster in their hacks, but victims are still slow to detect they’ve been hit. According to the DBIR, most attackers (82%) compromised victims within minutes, and about 67% pilfered data within days, while 21% did so within minutes.

On the flip side, less than one-fourth of victims detected an attack in days or less. “We’d like to see discover improvement, but there’s a detection deficit,” Spitler says. “I’m a realist. I want to focus on getting the time to exfiltrate longer. Make the [attackers] do work once they get an initial foothold.”

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Meanwhile, Web attacks encompassed not only stolen credentials, but attacks via content management systems (CMS).  “A lot of plug-ins have vulnerabilities. You have so many layers to worry about in a Web app,” including ensuring there aren’t input-validation flaws. “A lot of hacking stems from there,” Spitler says.

Some 95% of confirmed Web breaches were financially motivated, according to the report. “In attacks against ecommerce servers, web shells are used to access the payment application code and capture user input,” for example, the DBIR said. CMSes are often the vector for installing those web shells.

“A series of events we saw across multiple patterns was phishing -- to drop malware to establish control of a user device, and leverage credentials to advance your attack within the same organization or in another organization,” Spitler says. “The endgame is to compromise that user device and turn it into a spam sender or a DDoS [bot], or to get a foothold into a corporation and dig deeper” for information, he says.

And with POS attacks, it’s all about phishing and installing malware or a keylogger to capture credentials, he says.

Related Content:

 

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.