Endpoint
4/26/2016
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Verizon DBIR: Over Half Of Data Breaches Exploited Legitimate Passwords In 2015

Financial sector suffered the most breaches last year, followed by the accommodation/hotel sector.

Web attacks surged, financial gain reigned as a motive, and mobile and IoT remained a non-factor in real-world attacks last year.

Legitimate user credentials were used in most data breaches, with some 63% of them using weak, default, or stolen passwords, according to the new 2016 Verizon Data Breach Investigations Report (DBIR), which publishes tomorrow. While widespread abuse of legitimate user credentials by bad guys is really no surprise, such a high percentage of cases was startling, according to Marc Spitler, senior manager at Verizon Security Research, and co-author of the report. 

“I knew credentials were a thing, obviously. What I wouldn’t have thought was that over half [of breaches] involved credentials,” Spitler says. “I knew it was a significant issue and knew we wanted to talk about it in the report, but I didn’t quite know it would be that high.”

Stolen credentials top the list of threat action types among attacks that used legitimate credentials, followed by malware, phishing, and keyloggers. Incident and breach data from victims of the pervasive and stubborn Dridex banking Trojan contributed to the findings on stolen credential use, according to the new Verizon report, which drew from more than 64,000 security incidents worldwide in 2015, 2,260 of which were actual data breaches. 

In addition to Verizon’s own incident response investigation data, some 65 organizations, including law enforcement agencies, the US Department of Homeland Security, and numerous security vendors, contributed incident and breach data for the report, including several involved in the Dridex botnet takedown in October of last year.

Web application attacks increased 33% in 2015 compared with 2014, and in 95% of these breaches, it was all in the name of financial gain. Web attacks rose this year to 82% -- from 31% last year -- against financial services firms, who along with information and retail industries, were hit most by these types of attacks, of which the report recorded 5,334 total incidents, 908 of which were data breaches.

Source: Verizon
Source: Verizon

Dridex, which was disrupted by US and UK authorities last year but began to resurface in new campaigns a few weeks later, again played a role here: “The breaches within this pattern are heavily influenced by information gathered by contributors involved in the Dridex botnet takedown. Hundreds of breaches involving social attacks on customers, followed by the Dridex malware and subsequent use of credentials captured by keyloggers, dominate the actions” against websites, the report says.

Dridex also caused crimeware activity to drop in favor of the use of stolen credentials from the infamous Trojan.

No ‘Killer’ IoT, Mobile

And once again, there was no sign of mobile devices becoming the next big attack vector amid the security incidents and data breaches analyzed in the report. Verizon in last year’s DBIR concluded that mobile devices were a nonfactor in 2014 real-world attacks, with only about 100 smartphones per week out of tens of millions of devices were getting infected, for a 0.68% infection rate, and mostly with adware or other relatively benign infections.

The story was much the same in 2015. Despite all of the vulnerabilities and the hype surrounding the dangers to enterprises of Internet of Things (IoT) things and constant barrage of bugs in popular mobile devices such as Apple iOS and Android, these devices have yet to prove to be widely exploited as attack vectors. So neither mobile nor IoT even made the DBIR report this year.

“We’re still not seeing it,” Verizon’s Spitler says. “There’s nothing there from our incident or breach corpus this year to do any other research around it. Inevitably, somebody will tell us we were wrong, but we tell the story of the data. The data is the data.”

“We’re not saying don’t worry about this [mobile or IoT],” Spitler says. “This is something you need as part of risk management program.”

Here’s what the Verizon DBIR said about the lack of IoT and mobile-borne attacks in 2015: “For those looking for proclamations about this being the year that mobile attacks bring us to our knees or that the Internet of Things (IoT) is coming to kill us all, you will be disappointed. We still do not have significant real-world data on these technologies as the vector of attack on organizations.”

Who Got Hit Most

Financial firms were hit with the most data breaches last year, with some 795 breaches, followed by the accommodation/hotel sector (282), information sector (194), public sector (193), retail (137), and healthcare (115). The decline in big-box retail hacks syncs with many retailers starting to beef up transaction security, including their point-of-sale (PoS) systems. Hotels, meanwhile, have been the new target for cybercriminals in the past year.

Attackers getting faster in their hacks, but victims are still slow to detect they’ve been hit. According to the DBIR, most attackers (82%) compromised victims within minutes, and about 67% pilfered data within days, while 21% did so within minutes.

On the flip side, less than one-fourth of victims detected an attack in days or less. “We’d like to see discover improvement, but there’s a detection deficit,” Spitler says. “I’m a realist. I want to focus on getting the time to exfiltrate longer. Make the [attackers] do work once they get an initial foothold.”

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Meanwhile, Web attacks encompassed not only stolen credentials, but attacks via content management systems (CMS).  “A lot of plug-ins have vulnerabilities. You have so many layers to worry about in a Web app,” including ensuring there aren’t input-validation flaws. “A lot of hacking stems from there,” Spitler says.

Some 95% of confirmed Web breaches were financially motivated, according to the report. “In attacks against ecommerce servers, web shells are used to access the payment application code and capture user input,” for example, the DBIR said. CMSes are often the vector for installing those web shells.

“A series of events we saw across multiple patterns was phishing -- to drop malware to establish control of a user device, and leverage credentials to advance your attack within the same organization or in another organization,” Spitler says. “The endgame is to compromise that user device and turn it into a spam sender or a DDoS [bot], or to get a foothold into a corporation and dig deeper” for information, he says.

And with POS attacks, it’s all about phishing and installing malware or a keylogger to capture credentials, he says.

Related Content:

 

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Tell the sysadmin that we have a situation.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.