Credential-Stuffing Threat Intensifies Amid Password ReuseEmployees who reuse logins on multiple websites drive the impact of third-party breaches as hackers use credential stuffing to compromise more accounts. Password reuse poses a tremendous security risk as attackers increasingly employ leaked credentials to search for other accounts to compromise via reused passwords.
There’s no shortage of leaked credentials for attackers to employ. Nearly all (97%) of the world’s 1,000 largest companies have had corporate credentials exposed, Digital Shadows reports in its newly published research on account takeover attacks and mitigation.
Hackers are using this information in six main ways: for building botnets, post-breach extortion, credential harvesting, spearphishing, account takeover, and credential stuffing. This research specifically dives into account takeover, which is increasing with credential-stuffing tools.
Credential stuffing is the process of using automated systems to brute-force a website with login information stolen from another site, hoping it will match with an existing account. It’s easy for attackers to automate account takeover by identifying where users employ the same credentials on multiple sites, and spreading their attack to more accounts.
“Barriers to entry have gotten lower and lower,” says Michael Marriott, research analyst at Digital Shadows, of account takeover attacks. Threat actors don’t need advanced expertise to infiltrate accounts, and they’re realizing users’ poor security habits will drive their success. With an “obscene amount” of data available online, they’re likely to find a match, he says.
Many credentials are publicly available; cost varies depending on their age. For example, Digital Shadows reports the LinkedIn database cost $2,280 in April 2016: now, you can buy it for a mere $4. One of the most thorough packages costs $2,999 for a total of 3,825,302,948 credentials collected from 1,074 databases.
Attackers use a few different tools to launch credential stuffing attacks, but the main ones are SentryMBA, Vertex Cracker, and Account Hitman. Marriott says the most popular is SentryMBA, which is free and designed to bypass the CAPTCHA controls implemented to stop automated logins.
“There are different motivations, but making money is an obvious one,” says Marriott of what’s driving these attacks. “People also use account takeover to find out more information about users. If you want to tailor an attack more, you can log on to different accounts.”
Technically skilled people can make money by selling a website’s configuration files, which maps out the specific parts of a site so credential-stuffing software knows where to attempt logins. Those who don’t have the tech-savvy to create these files can buy them on forums, marketplaces, and social media.
Credential stuffing affects businesses of all sizes and industries across the board. Gaming and technology businesses were most frequently targeted, but attackers also went after gift card companies, hotels, pizza shops, and online retailers. The most vulnerable websites are those with an employee or customer login page, which are open to account takeover attempts.
Multi-factor authentication is one means of fighting account takeover attacks; however, Marriott warns against using this as a “silver bullet” to get full protection.
“If [businesses] don’t have multi-factor authentication, it’s not because they haven’t thought about it,” he explains. Oftentimes companies decide against it because it leads to loss of customers; in some cases, like with SMS authentication, it may not even be that effective.
There are other ways to detect and protect against account takeover attempts. Marriott recommends companies check Have I been pwned for signs of email compromise, and use Google Alerts to check for mentions of company and brand names across cracking forums. This will give you a heads-up if someone is discussing a potential attack on your business.
He also advises organizations to learn more about credential-stuffing tools and inform staff and consumers of the dangers of reusing passwords and corporate email addresses for personal accounts.
9 Ways Organizations Sabotage Their Own Security: Lessons from the Verizon DBIR
With Billions Spent on Cybersecurity, Why Are Problems Getting Worse?
Staying a Step Ahead of Internet Attacks
The RAVPower Savior 9000mAh portable charger has both a built built-in Apple Lightning Connector and a foldable two prong wall plug so you don’t need to bring an extra cable to charge your Apple Device. The additional USB output is 1A & Lightning output is 2.4A – this means you can have incredible charging speeds up to 3.4A
This unit currently receives 4.5 out of 5 stars on Amazon (read reviews). It is currently discounted by 58% from it listed price of $99.99. Check out the buying options to purchase this now for $41.99 on Amazon
This story, “58% off RAVPower Portable Multi-Functional Power Bank with 9000mAh Built-in Apple Lightning Connector and AC Plug – Deal Alert” was originally published by
To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
At a Glance
Cyber Security Law 网络安全法宣传视频系列001
RAVPower Multi-Functional 9000mAh PowerBank with Built-in Apple Lightning Connector and AC Plug
Back to School
Our DealPost commerce team presents the best deals on products and services from online retailers and our partners.
European network and infosec agency ENISA has taken a look at Internet of Things security, and doesn’t much like what it sees.
So it’s mulling a vendor’s nightmare that the US and UK dared not approach: security regulation – at least the minimal regulation of testing and certification.
In a position paper published Monday, the group says there is “no level zero defined for the security and privacy of connected and smart devices,” no legal guidelines for IoT device and service trust, and no “precautionary requirements in place.”
In other words, to readers familiar with the woe The Register has chronicled over the years, it’s an Internet of St.
Three vendors, Infineon, NXP, and STMicroelectronics, developed the position paper for ENISA, which it announced here (full PDF here).
The paper reckons IoT security needs bottom-to-top baseline requirements, from simple devices all the way up to complete systems (it cites connected cars and factories as examples of the latter).
Proposals in the paper include European Baseline Requirements for Security and Privacy (currently under development by the The Alliance for the Internet of Things Innovation, AIOTI), and the introduction of an EU “Trust Label” for IoT devices.
Also on the top-priority list:
Standards and certifications – as well as the baseline, this includes interop testing, mandatory reference levels for trusted IoT solutions, the scalability of security controls and more;
Security processes and services need to be evaluated and “adapted to IoT”.
In 2016, Dutch MP Kees Verhoeven called for EU regulation, an idea briefly pursued but abandoned by America’s Federal Trade Commission earlier this year, and passed over by the UK’s Ofcom in 2015. ®
A federal watchdog agency is recommending that Virginia Medicaid, administered by the state’s department of medical assistance services, or DMAS, address security weaknesses that could potentially leave beneficiaries’ data vulnerable to breaches and state Medicaid operations susceptible to disruptions. Security experts say the audit’s recommended improvements are needed at many healthcare organizations.
See Also: Defend Against Spear Phishing: Encouraging Developments Gaining Momentum
The Department of Health and Human Services’ Office of Inspector General’s report released May 19 notes that the agency did not include specific details of vulnerabilities identified during an audit of Virginia’s Medicaid Management Information System because of “the sensitive nature” of the information.
The OIG’s general recommendations to Virginia presented in the report, however, cover an array of security control areas – including access and authentication – that also have been frequently spotlighted by the watchdog agency’s reviews of systems at other state or federal healthcare agencies, as well as their contractors (see HHS OIG: Medicare Contractors Struggle with Security Gaps).
In its report, OIG says it reviewed Virginia MMIS policies, procedures and information system general controls that were in place as of September 2015, determining that Virginia did not adequately secure its Medicaid data and information systems in accordance with federal requirements. “Virginia had adopted a security program for its MMIS, but numerous significant system vulnerabilities remained,”
the report states.
OIG notes that although it did not identify evidence that anyone had exploited the vulnerabilities, “exploitation could have resulted in unauthorized access to and disclosure of Medicaid beneficiary data, as well as the disruption of critical Medicaid operations.” The vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of Virginia’s Medicaid program, OIG adds.
OIG recommended that Virginia “improve its Medicaid security program to secure Medicaid data and information systems in accordance with federal requirements, provide adequate oversight to its contractor, and address the vulnerabilities identified during our audit.”
Specifically, OIG recommended that Virginia enhance its Medicaid:
网络安全法动漫宣传片 002 国家网络安全的现状与重要性概述
Systems and information integrity controls;
Risk management process;
Access and authentication controls;
Audit and accountability controls;
System and communications protection controls;
Configuration management controls.
OIG notes in the report that Virginia concurred with the agency’s recommendations and described corrective actions that it had taken or planned to take.
The MMIS security control areas that OIG recommended Virginia bolster are also frequent trouble spots for healthcare sector entities and their business associates.
“These are common areas where audits reveal weaknesses in security controls,” says Keith Fricke, principle consultant at tw-Security.
“In particular, the risk management process is often lacking, and this is something we’ve heard the HHS Office for Civil Rights say at conferences over the past six months,” he notes. “A good and consistent risk analysis/risk management process would identify the security controls areas in need of attention and define the plan to address them.”
As cybersecurity attacks rage, weak access controls are especially worrisome, says Mac McMillan, president of security consulting firm CynergisTek.
“Given the recent incidents with WannaCry and other malware types, I’m always concerned when I see integrity and access control issues,” he says. “Right now everyone needs to be diligent in basic management of security.”
The OIG review of Virginia Medicaid is one in its series of audits of states’ computer systems used to administer HHS-funded programs. The report notes that Virginia’s Medicaid program uses an outside contractor to develop and operate its claims processing system.
Virginia’s Medicaid program processed $8.2 billion in claims for nearly 1.3 million beneficiaries in fiscal year 2015, the report notes.
The Virginia Information Technology Agency supports the state’s DMAS Medicaid Management Information System by providing cybersecurity, information technology services and governance.
In a statement to Information Security Media Group, DMAS says it is “addressing the findings of the OIG and will meet the timeline established by our Director of Information Management.”
In March, OIG released a review of Massachusetts’ Medicaid information systems with findings of various security weaknesses, including security management, configuration management and website and database vulnerability scans.
Fricke notes that while the OIG’s reviews of government agencies bring to light security vulnerabilities that need to be addressed by those entities, it’s critical that private sector organizations also scrutinize their systems for similar weaknesses.
“With a good risk analysis and risk management process in place, healthcare sector organizations and business associates can identify risks and prioritize them,” he says. “Often starting with medium-to-high ranked risks that are low-cost/low-effort to address gets results and creates momentum.”
VMware informed customers last week that updates released for the Linux and Windows versions of Workstation patch privilege escalation and denial-of-service (DoS) vulnerabilities.
One of the flaws, discovered by Jann Horn of Google Project Zero and tracked as CVE-2017-4915, affects VMware Workstation Pro and Player 12.x on Linux. The weakness has been classified as “important” severity.
The security hole, described as an insecure library loading vulnerability, allows an unprivileged host user to escalate their privileges to root on the host via ALSA sound driver configuration files.
The second vulnerability, identified by Borja Merino and tracked as CVE-2017-4916, affects VMware Workstation Pro and Player 12.x on Windows.
This “moderate” severity flaw is a NULL pointer dereference issue that exists in the vstor2 driver. An attacker with regular host user privileges can exploit the vulnerability to cause a DoS condition on the host machine.
The vulnerabilities have been patched with the release of VMware Workstation 12.5.6. There are no workarounds for either of the flaws.
VMware has released eight other security advisories this year, including for an Apache Struts 2 vulnerability that had been exploited in the wild, and security bugs disclosed by white hat hackers at this year’s Pwn2Own competition.
Exploits involving VMware virtual machine escapes earned participants more than $200,000 at Pwn2Own 2017. Researchers at Qihoo 360 received $105,000 for an Edge exploit that achieved a VM escape, while Tencent Security’s Team Sniper earned $100,000 for a Workstation exploit.
Related: VMware Patches Vulnerabilities in AirWatch Android Apps
Related: VMware Patches Critical RCE Flaw in vCenter Server
Related: VMware Patches VDP, ESXi Vulnerabilities
WannaCry Hit Windows 7 Machines MostMore than 95% of all of the infected machines were running Windows 7, according to Kaspersky Lab data.Don’t blame Windows XP: Now that the dust has started to settle in the epic global WannaCry ransomware worm attacks, new data shows that the hardest hit version of Windows in the attacks was the soon-to-be-fully-retired Windows 7 – specifically, the 64-bit version of the OS, which suffered 60% of the ransomware infections, according to data from Kaspersky Lab.
Another 31.72% were Windows 7 proper, and another 6% were Windows 7 Home OS machines.
Amid the chaos and panic during the outbreak and fast spread of the worm that first reared its head on May 12 were calls for organizations to keep their Windows machines updated with the latest patches and to abandon older Windows operating system versions like Windows XP and Windows 7. XP ended up being less of a victim factor than experts initially posited.
Costin Raiu, head of the global research and analysis team at Kaspersky Lab, says the WannaCry attackers didn’t activate support for targeting XP machines. “Their code worked only with Windows 7, Windows 7 x64 and Windows 2008 servers,” Raiu says. “So, while in theory it was possible to implement support for the infection of Windows XP, it seems they didn’t. This could be because they thought almost nobody uses XP anymore, or because they didn’t have time to finish the worm before the ransomware was released.”
Some XP machines threw error messages or crashed during WannaCry, but they weren’t successfully infected with the malware, according to several researchers who studied the code. Microsoft even issued a rare emergency patch for XP and the also-retired Windows 2003 Server platforms out of abundant caution.
While leftover Windows XP-based machines and systems (think some medical and ICS devices) running out there dodged a bullet, the narrative advice of “patch and update” remains just as relevant when it comes to the older and still widely deployed Windows 7 OS, which Microsoft has begun to phase out with some limited extended support options for its business customers. Windows 7 Service Pack 1 expires on January 14, 2020.
BitSight says the consumer-heavy telecommunications sector led WannaCry infections with 15.31% of the ransomware victims worldwide, and the Russian Federation topped the list of victim nations, with some 25,829 infected machines, followed by China (22,991), Taiwan (7,625), Ukraine (5,974), the US (4,557), and others, in some 167 nations affected by the attack.
Dan Dahlberg, research scientist at BitSight, says researchers are still studying just why Windows 7 was hit hardest. “It is known that the worm had difficulty infecting Windows XP machines and spreading as it often caused the machine to crash when it attempted to exploit the vulnerabilities,” he says. “Microsoft has also designed a more seamless automatic update experience for Windows 10 that would have allowed for the MS17-010 patch to be installed on a much larger population of Windows 10 machines compared to older operating systems.”
From WannaCry to “EternalRocks”
WannaCry isn’t really ever going to be over. Subsequent copycats and variants are circulating at a rapid clip.
The most interesting attack to surface: a piece of malware known as “EternalRocks” network worm that employs six of the NSA tools leaked by Shadow Brokers, which actually dates back to May 3 of this year, before WannaCry was found.
EternalRocks uses multiple SMB exploits from the NSA trove, including EternalBlue (the one WannaCry used), Eternal Champion, EternalRomance, and EternalSynergy, plus the DoublePulsar, Architou8ch, and SMBTouch tools.
Security experts say while the radical combination tool is intriguing, so far it’s not doing much damage since it doesn’t carry a payload per se: just a backdoor implant. “At this time, the malware is not weaponized, but allows remote code execution once installed on a machine, so it could potentially be weaponized later,” notes Chris Hinkley, lead ethical hacker for Armor.
EternalRocks won’t be the last of the recycled NSA cyber tools going rogue. Security experts are keeping close eye on the next wave of attack campaigns now that WannaCry blazed a trail with the worm-spread ransomware technique.
5 Security Lessons WannaCry Taught Us the Hard Way
NSA Tools Behind WannaCry Being Used In Even Bigger Attack Campaign
WannaCry: Ransomware Catastrophe or Failure?
WannaCry’s ‘Kill Switch’ May Have Been a Sandbox-Evasion Tool