Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 PM
Connect Directly

Compromised Credentials Show That Abuse Happens in Multiple Phases

The third stage, when threat actors rush to use stolen usernames and password pairs in credential-stuffing attacks, is the most damaging for organizations, F5 says.

Long before a credential breach becomes public, threat actors in many cases already have been using the stolen username and passwords in different ways, a new study has revealed.

F5 Networks recently analyzed open source information on credential-spill incidents in recent years and discovered that stolen credentials go through five separate phases of abuse from the moment a threat actor first acquires the credentials to when they are subsequently disseminated among other threat actors. The company's analysis showed that half of all organizations take about 120 days — or four months — to discover a credential breach. And even then, it is only after a third party has informed them about their data being discovered on the Dark Web.

Related Content:

Pandemic Credential Stuffing: Cybersecurity's Ultimate Inside Job

Special Report: Understanding Your Cyber Attackers

New From The Edge: Fighting Fileless Malware, Part 3: Mitigations

F5 researchers discovered that a lot typically goes on with the credentials in the interim. During the first stage, in the immediate days and weeks following a credential breach, the criminals responsible for the data theft tend to use the stolen information in a stealthy and purposeful manner, says Sander Vinberg, threat research evangelist at F5.

The focus often is on using the credentials to try and establish persistence on a network, or to try and take over key accounts, conduct reconnaissance, and harvest whatever additional information they can. "They are monetizing the data, but they are monetizing it very carefully and with clear objectives in mind." This is when the potential for long-term damage is the greatest, Vinberg says.

The second stage kicks when the original attackers begin sharing the stolen credentials with others in the community. As the data becomes more widely available on the Dark Web, credential-stuffing attacks begin ramping up sharply. The increased activity usually lasts only about one month because it usually results in the credential theft being discovered.

As word of the breach starts spreading and users start changing passwords in the third stage, script kiddies and other amateur threat actors rush to use the stolen username and password pairs in credential-stuffing attacks on large Web properties. "This is the stage when the most economic damage is done," Vinberg says. "The greatest risk to organizations is regulatory and financial penalties."

By the fourth phase, the stolen credentials no longer have premium value but are still being used in attacks at a higher rate than during the first phase. The fifth stage is when attackers repackage spilled credentials and try to continue to use them.

As part of its research, F5 conducted a historical analysis using data from a large set of spilled credentials that become available for sale on a Dark Web forum in early 2019. Researchers from F5 compared credentials in that dataset against usernames used in credential-stuffing attacks against four of its Fortune 500 customers, two of which were banks, one a retailer, and the other a food and beverage company.

F5's analysis showed that when attackers first had access to spilled credentials, they used it on average between 15 and 20 times per day in attacks against the four organizations. By stage three, the credentials were being used up to 130 times a day, and by the fourth stage it had dropped back again to around 28 times per day. "The overarching conclusion is that credential stuffing is a very large problem," Vinberg says. "It manifests in different ways, but at this stage, no one can afford to downplay the risk it represents."

A Widely Acknowledged Problem
Several others have documented the growing danger of credential-stuffing attacks as well — especially in the months since the global COVID-19 pandemic began. In one study, released last November, researchers from Arkose Labs found that of the 1.3 billion attempted fraud attacks it observed in the third quarter of 2020, some 770 million involved credential-stuffing techniques. Another study, by Digital Shadows, found more than 15 billion stolen or otherwise exposed credentials available for sale in Dark Web markets. The company found credentials for everything from domain administrator accounts to bank accounts, adult-site logins, and video game and video streaming accounts readily available at prices ranging from a few thousand dollars to around $2 for access to file-sharing sites.

One silver lining that F5's study uncovered was a steady decrease in the average and median number of credentials exposed per incident compared with 2016. Though the overall number of credential compromise incidents itself more than doubled — from 51 in 2016 to 117 last year — the average number of records per incident dropped from over 63.4 million to around 17 million. When mega-breaches were excluded from the calculation, typical credential compromise incidents involved around 2 million records in 2020 compared with 2.7 million in 2016.

Vinberg says the data suggests that the largest organizations — those with the largest number of credentials — have gotten better at protecting the data. "Enormous breaches are becoming less common but midsize organizations are continuing to get breached," he notes.

F5's data shows that poor password protection practices continue to be a big contributor to the problem. Some 13.3% of credential compromise incidents and more than 42% of exposed credentials between 2018 and 2020 involved passwords stored in plaintext. When organizations did make an attempt to protect passwords, they often used MD5 hashes, a method that F5 describes as being widely discredited.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
2/18/2021 | 6:29:26 AM
Need a different approach to authentication than Passwords and OTPs
Interesting to see how long attackers misuse stolen credentials and how the credential spill incidents increased over time.

For me the key takeaway is that just different rules for passwords won't help to fundamentally change those attacks - they look like "band-aids".

We to change the game for attackers with a modern approach to authentication - one that protects against scalable attacks like phishing and credential re-use and that is suited to improve the login success rate from today's 60 to 80% to more than 90%.

The good news is that such modern approach to authentication is not science fiction - it is practical today and it has already been deployed by many companies. 
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...
PUBLISHED: 2021-06-16
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using...
PUBLISHED: 2021-06-16
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9...