Credential harvesting bots are attacking you right now

A threat actor’s most valuable tool is a working set of credentials for a targeted system. A big chunk of global cybercrime can be summed up as the illegal pursuit of someone’s username and password. Social engineering attacks are increasing in number and frequency, and threat actors are improving their tools and skills. While criminals are getting better at stealing passwords, the public is getting tired of hearing about password security.  

A 2022 study by AT&T reveals that 42% of respondents reuse the same password on multiple websites, and 31% use their birthday as their password. The study also revealed that up to 38% of respondents will use a website to stream or download videos, games, and music, even when they suspect the site to be malicious. Unfortunately, these people are our friends, family, and co-workers, and their poor cybersecurity behaviors are why we can’t have nice things. We’ll get back to them later.

For now, let’s start with those of us who are proactive with password security. We don’t share or reuse our passwords, and we have password managers or some other system that helps us keep track of our 70-100 (on average) logins. We know better than to create an account on a suspicious website to get a coupon or stream a video. But we’re still not totally in control of our password security.

Credential harvesting

The problem we all have is that we can’t control the security of the online services we use, any more than we can control the security system at the local bank. We trust our service providers to do their best to protect our data, but any company can fall victim to an advanced attack or compromised supply chain. Attackers work their way into systems through zero-day attacks and unpatched vulnerabilities, or they socially engineer an employee into giving them access. Once they’re in, they’ll look for user account credentials and other information that will help them launch further attacks. That information will be collected as quickly as possible. If your data is in there, they’ve got you.

Stealing and stockpiling credentials is referred to as credential harvesting or password harvesting.  There are several different tactics used in credential harvesting, and many attacks will use more than one. Phishing emails, phishing websites, remote desktop protocol (RDP) attacks, and Man-in-the-Middle (MitM) attacks can all be used to steal credentials, and they can be stacked to capture a little bit of information at a time.

A modern example of this is the attack behavior of the North Korean group APT38, which is using several types of phishing emails to trick recipients. They’re also using fake social media accounts, phishing websites, and post-exploitation tools to get the most out of each target. The Hacker News reports that this “sprawling” credential harvesting activity is new for this group, and is unusual for a state-sponsored group. This suggests that North Korea is increasing its focus on credentials and widespread gathering of information.

Infostealers

One of the most common harvesting attacks is a phishing email that includes a malware attachment.  It’s common for criminals to use malware known as an infostealer to harvest user data from a system.  This malware collects usernames and passwords from web browsers, email applications, and other software.  Most will also collect other data like credit card information and messaging chat logs. Infostealers are easy to get because attackers who cannot develop their own infostealer can purchase a subscription through Malware-as-a-Service (MaaS) providers.  

Those suspicious websites we mentioned earlier can also collect and share whatever account information you’ve provided. Websites offering coupons, free movies, or big prizes are often just phishing attacks designed to collect whatever information you provide.  These sites also exploit vulnerabilities on a visitor’s computer to install an infostealer without the user’s knowledge. The amount of damage done here depends on whether the computer is networked or storing sensitive information on the drive.

Some infostealers are dropped directly into a victim’s network by a criminal. Like most attacks, this is usually made possible by someone’s mistake. Misconfigured, unpatched, or unmanaged devices can leave security gaps that botnets can identify and match to an exploit. Threat actors use these gaps to begin the next phase of attack.

The GoAnywhere incident is one example of harvesting that used system intrusion and credential dumping. The Clop Ransomware gang used a zero-day exploit (CVE-2023-0669) to create an RDP account with access to the GoAnywhere Managed File Transfer (MFT) server. Once they had access, they used an LSASS credential dump to steal account information and gain access to the companies that use the GoAnywhere service. The attack has exposed over 1,000,000 individuals who use the services of these GoAnywhere customers. IBM has detailed this attack here.

Credential stuffing

So why are criminals so interested in hoarding everyone’s credentials? The bottom line is that login information enables larger and more profitable attacks.

Large collections of usernames and passwords make credential stuffing possible. These automated attacks use botnets to test stolen credential sets against multiple targets.  OWASP describes credential stuffing here:

Lists of authentication credentials stolen from elsewhere are tested against the application’s authentication mechanisms to identify whether users have re-used the same login credentials. The stolen usernames (often email addresses) and password pairs could have been sourced directly from another application by the attacker, purchased in a criminal marketplace, or obtained from publicly available breach data dumps.

Unlike OAT-007 Credential Cracking, Credential Stuffing does not involve any brute-forcing or guessing of values; instead, credentials used in other applications are being tested for validity.

Through credential stuffing attacks, a threat actor can find a single valid login that could open the entire network to infostealers and other malware. And this is why our friends, family, and co-workers are causing so much trouble. By reusing their company password at PayPal or Chick-fil-A, they inadvertently put all of us at risk.

Credential stuffing isn’t the only automated attack that uses large sets of login information. Our blog post here explains how password spraying and brute force attacks can use word lists and rulesets to gain access to a system. Even obsolete credentials can be useful to threat actors with these automated tools. Review the OWASP automated threats for more information on how these attacks work.

What can you do?

It's very important to create unique passwords for all accounts.  Do this as soon as possible, and tell your friends, family, and co-workers to do the same, because 42% of them need to be trained or reminded. You can increase password security by using passphrases, complex passwords, and multi-factor authentication where possible. If you use a password manager and you monitor data breaches for your information, you will be able to easily change the one unique password that was exposed.

Keep in mind that only one set of credentials is necessary to enable a huge data breach. A valid set of credentials doesn’t just open the door to a system.  It opens that door quietly and in the dark. An attacker who logs in with valid credentials will usually have more time in a network than one that breaks down the door. That’s more time to explore the network, find and steal data, break the data backups, get to know user behavior, and launch further attacks when ready. Admins can reduce this threat with credential access alerts that watch for lateral movement and other odd behaviors.

Websites and web applications should be defended by a web application firewall that will protect your login forms from credential attacks. Application firewalls also protect your sites from those scans that look for unpatched vulnerabilities and other security gaps.

Barracuda Application Protection

Barracuda offers powerful application security that protects your applications and APIs from DDoS and advanced bot attacks. Barracuda WAF-as-a-Service can be configured within a few minutes using our simple deployment wizard. Barracuda Application Protection engages automated attacks with a fierce defense that stops them before they can get to your site. You can try it in your environment right now, free for 30 days.