Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/27/2020
10:00 AM
Alex Artamonov
Alex Artamonov
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Pandemic Credential Stuffing: Cybersecurity's Ultimate Inside Job

How stolen credentials for services like Zoom and password reuse practices threaten to compromise other accounts and applications.

Like most of us, hackers would prefer to do as little work as possible, and all too often, we serve as their accomplices.

While some of those engaged in cyberattacks still wield virtual hacksaws and decode complex pathways, just about every cyberthief seeks the path of least resistance. Credential stuffing is one of the names that that path goes by.

Credential stuffing takes basic brute-force attacks to another — one might say more efficient — level. It replaces bluntness and random strings not with finesse but with what amounts to inside information. Think of credential stuffing as less like picking a single lock than gaining possession of the master key. In the wake of a breach, any breach, login credentials suddenly become currency, eligible for use on other servers.  

That's problematic enough during normal times. During the COVID-19 pandemic, the challenges have only multiplied. Large-scale phishing campaigns and database dumps are happening at this writing. Risk factors are off the charts, given that more users are working remotely and, unfortunately, are having a tough time spotting phishing emails. That in turn leads to stolen credentials for services like Zoom and, thanks to password reuse, threatens to compromise other accounts and other applications. This also leads to the increasingly pervasive — and threatening — practice of business email compromise (BEC), where a single phished or dumped password can expose a user's full email history and enable the attacker even more access into that user's personal and professional life.

Back in the day, hackers maintained word lists — likely or conceivable passwords — to use against a system or an account. Hitting paydirt was a time-consuming process that paid uncertain dividends. With the profusion of legitimate passwords out and about in the real world — passwords associated with known accounts and usernames from online destinations such as Netflix, Facebook, Dropbox and legions more — credential stuffing effectively means game over for a huge number of users. And that wall that once separated business accounts (say, Wells Fargo) from personal accounts (say, Amazon Prime) has long since been, pardon the expression, breached. Password reuse has morphed into password abuse.

Here, as in so many other realms of cyber life, hackers got there first. They figured out the obvious: Ransacking a heavily trafficked site — a single service that yields access to thousands or millions of accounts — beats playing roulette with more obscure destinations. All of which is an irrefutable argument in favor of deploying unique passwords, at the very least.

There is, in fact, much more that individuals, acting as consumers and members of a given business community, can do. Requiring regular password changes and two-factor authentication can be effective at stopping these types of attacks, two-factor authentication especially.

That said, be aware that continuously compelling users to change passwords and having to remember so many different password combinationsmay have unintended consequences. Users may wind up creating a base password and simply changing the last few characters, which can lead to weak, and easily cracked, passwords. Enter the password manager, a popular solution but one that carries its own risks. A password manager effectively serves as a vault holding a trove of passwords, so take special care when selecting a password management solution. With two-factor authentication, even if the password is weak or leaked, the attacker isn't able to log in without having physical access to the user's phone or another device used to generate an OTP (one-time password). This is why most online services are scrambling to implement two-factor authentication or some other means of protecting potentially compromised accounts, such as artificial intelligence and machine learning.

If two-factor authentication is not possible, at the very least, mandate regular password changes. Doing so will make it more difficult to guess the correct password, given that leaked databases are not always fresh, and different sites will have different password change schedules, which, in turn, may effectively lead to randomized passwords. When using a password manager, it's also a good idea to use its security health-check feature, assuming one is available. Signing up an individual or an organization to an online list such as "have i been pwned" can help minimize risk after a leak from a password dump.It's yet another way to compel hackers to work that much harder to do mischief.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Based in the Greater Phoenix area, Alex Artamonov is a systems engineer and cybersecurity specialist now in his 10th year with Infinitely Virtual.  Skilled in VMware ESX, Microsoft Server and desktop operating systems, HP Proliant, and HP blade ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I like the old version of Google assistant much better.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...