As we look back at the cyber threat environment over the last year, stolen credentials were a driving factor, leading to disrupted lives, stolen data, business shutdowns, and billions of dollars in financial losses. The 2023 Verizon Data Breach Investigations Report found that of the 83% of all breaches that involved external actors, 49% of those leveraged the use of stolen credentials.
Millions of sets of credentials were compromised last year, through third-party breaches, infostealer malware infections, network intrusions or other methods before making their way to forums, dark web marketplaces, or other sites. Regardless of their source, the massive number of stolen legitimate credentials available underscores the pervasive nature of the threat.
And the threat isn’t going anywhere. Here are three trends to watch in the ongoing compromised credentials crisis:
Infostealer malware has gathered steam
The rapid growth of infostealer malware illustrates the appeal posed by legitimate credentials. Last year, infostealers were the top subject of malware ads and forum discussions, according to Flashpoint. Infostealers also proliferated throughout 2023, with infostealer incidents doubling in Q1 of last year alone as more and more variants were offered, all targeted at gaining illicit access to victims’ credentials and other sensitive data. The growth of this malware in the cybercriminal marketplace reflects the value attached to legitimate credentials in conducting cyberattacks and their critical role in gaining access to organizations. This access also often leads to further malware infections. SpyCloud reported that infostealer infections preceded 30% of ransomware events in North America and Europe in 2023.
The growing sophistication of social engineering
Credentials should also see the already substantial threat from social engineering attacks continue to grow. While social engineering hacks are not new, high-profile successful attacks tend to inspire quick adoption of the associated tactics, techniques, and procedures by threat actors seeking to replicate those successes. Last year’s MGM breach and subsequent ransomware infection is an example of a widely-reported attack that used social engineering, including initial reconnaissance on social media that let the threat successfully impersonate an employee in a call to the IT help desk that allowed them to obtain credentials. The attack was attributed to the group known as Scattered Spider, which specializes in these social engineering-driven attacks, often contacting victims via text or calling in to help desks in an attempt to gain access to legitimate credentials.
Going forward, we’ll see social engineering attacks get incorporated into AI-driven audio deepfakes that can allow for more convincing impersonation calls. This tactic in particular so concerns the U.S. Federal Trade Commission that it issued an open “Voice Cloning Challenge” in which participants are invited to submit ideas for “preventing, monitoring, and evaluating malicious” audio deepfakes with the offer of a $25,000 reward to the winner.
Passkeys are also on the rise
Concurrently with the ongoing threat from credential theft, we are in the midst of a shift in the technologies widely available for authentication as we move away from passwords towards passkeys. Last year marked some major milestones for the adoption of this technology, with companies such as Amazon and Google offering passkeys for authentication.
While it’s a promising evolution, we should also remember that technological shifts often create new threats and risks as organizations go through the transition. Organizations should take extra care as they incorporate new processes as well as familiarize themselves with and implement the appropriate configurations and security protocols of the new tech.
With the continued threat to credentials and ongoing spread of infostealer malware, combined with heightened risk environment that frequently surrounds the adoption of new technologies, 2024 might just be the Year of the Credentials Crisis. Those who don’t wish to see their credentials on a dark web marketplace would do well to pay close attention to these trends – and prepare accordingly.
Mike Kosak, senior principal intelligence analyst, LastPass
