
Reviewing our 2019 AppSec predictions: Account takeover
At the start of the year, I made three predictions on attacks vectors that would become big problems over the year and beyond. This is the look at where the three are, now, at the end of the year. Starting with #1 – Account Takeovers.
Prediction:
Organizations will see a significant uptick in these attacks. Defenses, including two-factor authentication, attack detections and more need to be planned, and put in place with proper alerting systems to detect and block these attacks.
Zynga, EatStreet, Coinmama, Canva, Flipboard, DockerHub, Intuit.
These are some of the many companies that either lost user credentials in a data breach or were victims of a credential stuffing attack.
This year has been quite a massive year when it comes to credential attacks – be it stealing them or using them for account takeover. Early in the year, the massive Collection #1- #5 dump with over 2.2 billion unique credentials. We acquired the database and ran it against our existing credential dump, and a significant bit of the dump was previously leaked credentials. The dump itself easily dwarfed 2018’s Pemiblanc, and as the name suggests, it is mostly a collection of old data put together.

Source + larger image

Source

Typically though, we don’t really hear much about the effects of these data branches. Those following the data breach news closely hear about the breaches, and some of the effects. That said, one event brought out the risks of these data breaches and credential reuse out quite massively –

Source
What seems to have happened is, however, credential reuse. The malicious actors seem to have taken previously dumped data and validated it against Disney+ to see which ones were in use. When they got valid data, they proceeded to lock the users out of their accounts and sell their credentials. Users could no longer login to their accounts and are presumably working with Disney to reset their account credentials. This attack is a little concerning – over the last few years, there have been a variety of effective products to guard against such attacks. These include products that can detect such low and slow attacks and alert the application owners or block the attacks. In this case, we don’t know yet if this was identified but not blocked, or if it was not identified at all while in progress. We await more information.
Since last year, credential attacks have become more and more prevalent. Folks like Troy Hunt, who runs haveibeenpwned, have been trying to get everyone to start safeguarding their credentials. However, given the long history of painful password policies (something even NIST has acknowledged and is moving on from), it looks like it will take some time.
When it comes to organizations, there are a few things they can do to recede the impact of such attacks.
- Impose sane password guidelines to reduce password reuse. For employers, it may make a lot of sense to provide password managers. Apple is rumored to have done so, and actually provided employees with family plans for the password management tool.
- Implement multi-factor authentication
- Secure all applications against credential (and other) attacks –
- Ensure you have sufficient protections against all app attacks, including the OWASP Top 10
- Have systems in place to detect and block low and slow bots (Slow bots are attackers/bots who come in from different regions over a longer period to avoid detection)
- Ideally, implement a solution that can check all incoming credentials against known leaked credentials. This is not a 100% solution, but along with #2, it can help you identify and block these attacks quite early on
At Barracuda, we’ve launched the Advanced Bot Protection (ABP) product earlier this year. ABP is part of our Cloud Application Protection (CAP) platform and works together with our WAF product line to detect and block all types of advanced bot attacks. A big part of this product is Credential Stuffing security. With a large database of known leaked credentials, we can detect incoming account takeover/brute force attacks with ease. As part of the ABP product, this feature can take advantage of our Cloud Machine Learning Layer to identify the most advanced attackers. For a no-risk 30-day trial, visit our corporate site at www.barracuda.com/waf.