Long before a credential breach becomes public, threat actors in many cases already have been using the stolen username and passwords in different ways, a new study has revealed.
F5 Networks recently analyzed open source information on credential-spill incidents in recent years and discovered that stolen credentials go through five separate phases of abuse from the moment a threat actor first acquires the credentials to when they are subsequently disseminated among other threat actors. The company's analysis showed that half of all organizations take about 120 days — or four months — to discover a credential breach. And even then, it is only after a third party has informed them about their data being discovered on the Dark Web.
F5 researchers discovered that a lot typically goes on with the credentials in the interim. During the first stage, in the immediate days and weeks following a credential breach, the criminals responsible for the data theft tend to use the stolen information in a stealthy and purposeful manner, says Sander Vinberg, threat research evangelist at F5.
The focus often is on using the credentials to try and establish persistence on a network, or to try and take over key accounts, conduct reconnaissance, and harvest whatever additional information they can. "They are monetizing the data, but they are monetizing it very carefully and with clear objectives in mind." This is when the potential for long-term damage is the greatest, Vinberg says.
The second stage kicks when the original attackers begin sharing the stolen credentials with others in the community. As the data becomes more widely available on the Dark Web, credential-stuffing attacks begin ramping up sharply. The increased activity usually lasts only about one month because it usually results in the credential theft being discovered.
As word of the breach starts spreading and users start changing passwords in the third stage, script kiddies and other amateur threat actors rush to use the stolen username and password pairs in credential-stuffing attacks on large Web properties. "This is the stage when the most economic damage is done," Vinberg says. "The greatest risk to organizations is regulatory and financial penalties."
By the fourth phase, the stolen credentials no longer have premium value but are still being used in attacks at a higher rate than during the first phase. The fifth stage is when attackers repackage spilled credentials and try to continue to use them.
As part of its research, F5 conducted a historical analysis using data from a large set of spilled credentials that become available for sale on a Dark Web forum in early 2019. Researchers from F5 compared credentials in that dataset against usernames used in credential-stuffing attacks against four of its Fortune 500 customers, two of which were banks, one a retailer, and the other a food and beverage company.
F5's analysis showed that when attackers first had access to spilled credentials, they used it on average between 15 and 20 times per day in attacks against the four organizations. By stage three, the credentials were being used up to 130 times a day, and by the fourth stage it had dropped back again to around 28 times per day. "The overarching conclusion is that credential stuffing is a very large problem," Vinberg says. "It manifests in different ways, but at this stage, no one can afford to downplay the risk it represents."
A Widely Acknowledged Problem
Several others have documented the growing danger of credential-stuffing attacks as well — especially in the months since the global COVID-19 pandemic began. In one study, released last November, researchers from Arkose Labs found that of the 1.3 billion attempted fraud attacks it observed in the third quarter of 2020, some 770 million involved credential-stuffing techniques. Another study, by Digital Shadows, found more than 15 billion stolen or otherwise exposed credentials available for sale in Dark Web markets. The company found credentials for everything from domain administrator accounts to bank accounts, adult-site logins, and video game and video streaming accounts readily available at prices ranging from a few thousand dollars to around $2 for access to file-sharing sites.
One silver lining that F5's study uncovered was a steady decrease in the average and median number of credentials exposed per incident compared with 2016. Though the overall number of credential compromise incidents itself more than doubled — from 51 in 2016 to 117 last year — the average number of records per incident dropped from over 63.4 million to around 17 million. When mega-breaches were excluded from the calculation, typical credential compromise incidents involved around 2 million records in 2020 compared with 2.7 million in 2016.
Vinberg says the data suggests that the largest organizations — those with the largest number of credentials — have gotten better at protecting the data. "Enormous breaches are becoming less common but midsize organizations are continuing to get breached," he notes.
F5's data shows that poor password protection practices continue to be a big contributor to the problem. Some 13.3% of credential compromise incidents and more than 42% of exposed credentials between 2018 and 2020 involved passwords stored in plaintext. When organizations did make an attempt to protect passwords, they often used MD5 hashes, a method that F5 describes as being widely discredited.