Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 PM
Connect Directly

Compromised Credentials Show That Abuse Happens in Multiple Phases

The third stage, when threat actors rush to use stolen usernames and password pairs in credential-stuffing attacks, is the most damaging for organizations, F5 says.

Long before a credential breach becomes public, threat actors in many cases already have been using the stolen username and passwords in different ways, a new study has revealed.

F5 Networks recently analyzed open source information on credential-spill incidents in recent years and discovered that stolen credentials go through five separate phases of abuse from the moment a threat actor first acquires the credentials to when they are subsequently disseminated among other threat actors. The company's analysis showed that half of all organizations take about 120 days — or four months — to discover a credential breach. And even then, it is only after a third party has informed them about their data being discovered on the Dark Web.

Related Content:

Pandemic Credential Stuffing: Cybersecurity's Ultimate Inside Job

Special Report: Understanding Your Cyber Attackers

New From The Edge: Fighting Fileless Malware, Part 3: Mitigations

F5 researchers discovered that a lot typically goes on with the credentials in the interim. During the first stage, in the immediate days and weeks following a credential breach, the criminals responsible for the data theft tend to use the stolen information in a stealthy and purposeful manner, says Sander Vinberg, threat research evangelist at F5.

The focus often is on using the credentials to try and establish persistence on a network, or to try and take over key accounts, conduct reconnaissance, and harvest whatever additional information they can. "They are monetizing the data, but they are monetizing it very carefully and with clear objectives in mind." This is when the potential for long-term damage is the greatest, Vinberg says.

The second stage kicks when the original attackers begin sharing the stolen credentials with others in the community. As the data becomes more widely available on the Dark Web, credential-stuffing attacks begin ramping up sharply. The increased activity usually lasts only about one month because it usually results in the credential theft being discovered.

As word of the breach starts spreading and users start changing passwords in the third stage, script kiddies and other amateur threat actors rush to use the stolen username and password pairs in credential-stuffing attacks on large Web properties. "This is the stage when the most economic damage is done," Vinberg says. "The greatest risk to organizations is regulatory and financial penalties."

By the fourth phase, the stolen credentials no longer have premium value but are still being used in attacks at a higher rate than during the first phase. The fifth stage is when attackers repackage spilled credentials and try to continue to use them.

As part of its research, F5 conducted a historical analysis using data from a large set of spilled credentials that become available for sale on a Dark Web forum in early 2019. Researchers from F5 compared credentials in that dataset against usernames used in credential-stuffing attacks against four of its Fortune 500 customers, two of which were banks, one a retailer, and the other a food and beverage company.

F5's analysis showed that when attackers first had access to spilled credentials, they used it on average between 15 and 20 times per day in attacks against the four organizations. By stage three, the credentials were being used up to 130 times a day, and by the fourth stage it had dropped back again to around 28 times per day. "The overarching conclusion is that credential stuffing is a very large problem," Vinberg says. "It manifests in different ways, but at this stage, no one can afford to downplay the risk it represents."

A Widely Acknowledged Problem
Several others have documented the growing danger of credential-stuffing attacks as well — especially in the months since the global COVID-19 pandemic began. In one study, released last November, researchers from Arkose Labs found that of the 1.3 billion attempted fraud attacks it observed in the third quarter of 2020, some 770 million involved credential-stuffing techniques. Another study, by Digital Shadows, found more than 15 billion stolen or otherwise exposed credentials available for sale in Dark Web markets. The company found credentials for everything from domain administrator accounts to bank accounts, adult-site logins, and video game and video streaming accounts readily available at prices ranging from a few thousand dollars to around $2 for access to file-sharing sites.

One silver lining that F5's study uncovered was a steady decrease in the average and median number of credentials exposed per incident compared with 2016. Though the overall number of credential compromise incidents itself more than doubled — from 51 in 2016 to 117 last year — the average number of records per incident dropped from over 63.4 million to around 17 million. When mega-breaches were excluded from the calculation, typical credential compromise incidents involved around 2 million records in 2020 compared with 2.7 million in 2016.

Vinberg says the data suggests that the largest organizations — those with the largest number of credentials — have gotten better at protecting the data. "Enormous breaches are becoming less common but midsize organizations are continuing to get breached," he notes.

F5's data shows that poor password protection practices continue to be a big contributor to the problem. Some 13.3% of credential compromise incidents and more than 42% of exposed credentials between 2018 and 2020 involved passwords stored in plaintext. When organizations did make an attempt to protect passwords, they often used MD5 hashes, a method that F5 describes as being widely discredited.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
2/18/2021 | 6:29:26 AM
Need a different approach to authentication than Passwords and OTPs
Interesting to see how long attackers misuse stolen credentials and how the credential spill incidents increased over time.

For me the key takeaway is that just different rules for passwords won't help to fundamentally change those attacks - they look like "band-aids".

We to change the game for attackers with a modern approach to authentication - one that protects against scalable attacks like phishing and credential re-use and that is suited to improve the login success rate from today's 60 to 80% to more than 90%.

The good news is that such modern approach to authentication is not science fiction - it is practical today and it has already been deployed by many companies. 
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-26
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in
PUBLISHED: 2021-02-26
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key va...
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to...
PUBLISHED: 2021-02-26
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.