*****By Yoav Iellin, Researcher, and Yiftach Keshet, Director of Product Marketing, Silverfort*****
According to a risk alert issued by the SEC on September 18th, 2020, there has been a recent increase in the number of cyber-attacks against SEC-registered investment advisers and brokers and dealers using credential stuffing. This risk becomes more acute in light of yesterday’s reporting on what was arguably the largest credentials leak to date, with approximately 13 billion records now available online for attackers to use.
What are credential stuffing attacks?
‘Credential stuffing’ is an automated attack method used for finding credentials of web-based applications, as well as direct network login account credentials. To execute these attacks, the attackers obtain lists of stolen usernames, email addresses, and corresponding passwords from the dark web, and then use automated scripts to try the leaked credentials on other websites in an attempt to log in and gain unauthorized access to these systems.
Credential stuffing attacks are emerging as a more effective way for attackers to gain unauthorized access to systems and networks than traditional brute force password attacks.
Credential Stuffing: an evolving attack vector
The act of systematically collecting volumes of compromised credentials from the dark web was recently coined as ‘Credential Stuffing’ and is gaining increased popularity among threat actors who consider it significantly more efficient than traditional brute force or password spray attacks. Credential Stuffing attacks are preformed in two main ways:
1. Using existing pairs of leaked usernames and passwords
2. Using leaked passwords and pairing them to a list of known users.
Compromised passwords: the keys to accessing your resources
It’s not surprising that passwords, as the most common means to authenticate legitimate users, are considered a top target for threat actors. There is a whole Dark Web economy based on the trade in stolen credentials – the natural next step after every breach that involved a mass credential compromise. only recently, a 13 billion credential records leak was disclosed.
Password complexity and strength rules aren’t enough
Ensuring that employees use strong passwords is an important best practice enforced by both IT and security professionals. In today’s organizations, password strength and complexity rules, such as requiring a combination of special characters, numbers, and letters, are enforced. However, with billons of passwords available for any attacker to purchase and use, the typical password complexity rules aren’t enough.
Your employee passwords might already be compromised
Considering the limited (some will say – lack of) creativity of a typical human, it’s likely that some of the stolen passwords are also used by other humans – maybe even your employees. And this means that hackers have a good chance of finding that some of these passwords can be used to access your organization’s resources.
The bright side: leaked passwords can also be used by security pros to prevent breach
If hackers are using these databases of compromised passwords, why shouldn’t you? The databases of compromised passwords are accessible not only for the bad guys, but also for any security pro who is willing to put some effort into this. Scanning your network to identify the use of such passwords and asking users to change them can help prevent a breach. This is why the website ‘;–have I been pwned’ maintains a Pwned Passwords page, stating that:
“Pwned Passwords are 572,611,621 real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they’re at much greater risk of being used to take over other accounts. They’re searchable online below as well as being downloadable for use in other online systems… Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pair…”
Silverfort’s Free Leaked Password Checker
As part of Silverfort’s password research initiative, we looked into known compromised passwords that are listed on the website: Pwned Passwords. We wrote a simple tool that compares the Pwned passwords against the hashes of passwords in the infrastructure of several of our customers (to clarify – the tools doesn’t extract passwords from the infrastructure!). What we’ve discovered drove us to make this tool available to any organization in order to help you check for these passwords inside your networks.
The tool is now available for free! Use it to weed out known compromised passwords, and minimize the risk of Credential Stuffing attacks.