Logo Intuity
Contatti

Cyber Security Awareness Month’s Un-birthday

Share article

GUIDE ON CREDENTIALS THEFT:

The main aim of this article is to celebrate the ๐‚๐ฒ๐›๐ž๐ซ๐ฌ๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ ๐€๐ฐ๐š๐ซ๐ž๐ง๐ž๐ฌ๐ฌ ๐Œ๐จ๐ง๐ญ๐ก’๐ฌ ๐”๐ง-๐›๐ข๐ซ๐ญ๐ก๐๐š๐ฒ which, as IMQ Intuity, we celebrate instead in November.
The reason is simple: #SecurityAwareness ๐ข๐ฌ ๐š ๐ฏ๐ž๐ซ๐ฒ ๐ก๐จ๐ญ ๐ญ๐จ๐ฉ๐ข๐œ ๐ž๐ฏ๐ž๐ซ๐ฒ ๐๐š๐ฒ, ๐ญ๐ก๐ž๐ซ๐ž๐Ÿ๐จ๐ซ๐ž, ๐ข๐ญ๐ฌ “๐œ๐ž๐ฅ๐ž๐›๐ซ๐š๐ญ๐ข๐จ๐ง” ๐œ๐š๐ง๐ง๐จ๐ญ ๐›๐ž ๐ซ๐ž๐๐ฎ๐œ๐ž๐ ๐ญ๐จ ๐จ๐ง๐ฅ๐ฒ ๐š ๐ฆ๐จ๐ง๐ญ๐ก ๐š ๐ฒ๐ž๐š๐ซ.
On the occasion of the ๐‚๐ฒ๐›๐ž๐ซ๐ฌ๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ ๐€๐ฐ๐š๐ซ๐ž๐ง๐ž๐ฌ๐ฌ ๐Œ๐จ๐ง๐ญ๐ก’๐ฌ ๐”๐ง-๐›๐ข๐ซ๐ญ๐ก๐๐š๐ฒ, we thought to share with you a practical guide about #CredentialsTheft.

PROTECT YOURSELF FROM CREDENTIALS THEFT

Credentials theft is the cause of many cyberattacks and the number of incidents is
growing fast. In fact, the easiest thing to do for an attacker in terms of effort, is no
longer using social engineering or exploiting technological vulnerabilities.
Exploiting only technological vulnerabilities would mean underestimating the
human, the sociological and psychological vulnerabilities of the user, these last,
fundamental for an attacker in terms of ease of implementation and percentage of
success. So, the easiest way to attack is to steal credentials and the two most
common ways are:

  • Compromising the machines
  • Impersonate someone

STEALING CREDENTIALS

COMPROMISING THE MACHINES

Starting from the compromise of a single system, the attacker captures the
credentials on the compromised system and reuses them to access all systems
where those credentials are valid (Lateral Movement). Then, he steals more
privileged credentials until he gets full control of the infrastructure (Privilege
Escalation).
These activities are usually undetected due to detection difficulties, as they are
typically identified as normal authentication traffic.

IMPERSONATE SOMEONE

Impersonation, or Identity Theft, means a total impersonation of oneโ€™s identity by
the improper use of data relating to the identity of another person. In other words,
the use of the identity of another company or person, behind which the hacker
hides or operates with a fictitious identity.
The attacker uses Phishing (via e-mail), Smishing (via SMS) or Vishing (via
telephone) against the victim pretending to be a supplier, a customer or an
external collaborator.
The goal is to push the user to enter a corporate portal or software with corporate
credentials. At this point, the criminal can move freely and, as it happens in the
above case, gives way to a Lateral Movement until he reaches the full control of
the system

CURIOSITY

A 26-year-old boy known as raccoonstealer, having taken part in the Raccoon
Stealer Malware-as-service (MaaS) Operation, was arrested in March 2022. He
was arrested by Dutch authorities (together with FBI and Italian authorities), who
took apart the infrastructure of the Raccoon Infostealer and thrown the existing
version of the malware off-line.*
FBI agents have identified more than 50.000.000credentials
and forms of identification (email addresses, bank accounts, cryptocurrency
addresses, credit card numbers, etc.).
The credentials included over 4.000.000 email addresses.
After his arrest, the Raccoon Stealer Group ceased operations.
However, in June, they released a new malware family using C/C++ language
stealing:

Source: https://www.google.com/amp/s/www.itworldcanada.com/post/ukrainian-charged-with-involvement-in-raccoon-stealer-malware-service

  • Browser passwords and cookies
  • Autofill data
  • Credit cards
  • Cryptocurrency wallets
  • Screenshot capturing

“Why should my data be interesting to the attacker?”

To answer this question, here are some examples that come directly from our
experience in terms of Business Attack Simulation on medium and large
companies:

  • Many employees save a list of personal or corporate account
    credentials in Excel or .txt files on their company computer,
    renaming them as “Credentialsโ€œ or โ€œPasswordsโ€.
  • Many employees share their personal or business account
    credentials via E-mail or through instant messaging software, such
    as Teams and WhatsApp.
  • Many employees reuse the same credentials for all accounts and
    rarely change passwords.
  • Many companies, still use obsolete or manual business badge
    creation systems, such as storing employee names and data on .txt
    files, saved on the computer desktop, without any password
    protection.

Most predictable password combinations based on our red team simulations experience

An attacker who manages to reach the company database, can be able to recover
the password in clear with two possibilities:

  • The attacker, through Dictionary Attacks, tries to guess the passwords through
    the most commonly used words.
  • If he fails in finding the correct string of words, he proceeds with Brute Force
    Attacks, using all letter combinations.

The screenshot below shows the most predictable password combinations
according to our experience with organizations but, as you can see, they perfectly
reflect the most commonly used passwords even outside the business context.

  • Company + current year
  • Season/month + current year
  • Special characters vs letters
  • Use of abcd and 1234
  • Department + current year
  • Userโ€™s month/year of birth

Look at our guide, print it, put it on desk and share it for informative purpose: