Non-compliant and compromised passwords represent some of the weakest links and greatest threats to online security for both individuals and organizations today. Hackers steal credentials for profit using various techniques ranging from online and offline brute force, dictionary, and keylogger attacks to scanning cloud resources for exposed and forgotten credentials left on publicly accessible servers.
While setting strict password policies and educating end-users on credential best practices may reduce the chances of a cyberattack, over 80 percent of hacking-related data breaches still involve brute force or the use of lost, stolen, or compromised passwords, according to the 2020 Verizon Data Breach Investigations Report. Moreover, new research from Carnegie Mellon University’s Security and Privacy Institute (CyLab) found that only one-third of users change their passwords following a data breach announcement.
Even with multi-factor authentication and passwordless technologies, compromised passwords still remain a prime target for malicious actors because a single set of user credentials can be reused to attack multiple online resources. Hackers with stolen credentials can move laterally across networks and IT services to exfiltrate sensitive data, steal cryptocurrency or even access physical facilities. And as organizations move more and more IT resources to the cloud, Gartner estimates that through 2025, 99 percent of cloud security failures will be due to misconfigurations that expose passwords, representing a major attack vector for hackers.
To mitigate data breaches and cyberattacks both on-premises and in the cloud, RangeForce has identified and built specific hands-on training modules that cover these top exploits and techniques malicious actors use to steal passwords and network credentials.
1. Credential Stuffing
Credential stuffing involves using large sets of stolen usernames or email addresses and passwords from data breaches to compromise user accounts with automated login tools. Hackers test tens of millions of credential pairs daily using credential stuffing, according to Microsoft. Scripting tools such as Selenium, cURL, and PhantomJS can be used for credential stuffing attacks along with purpose built tools such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet. Avoiding credential stuffing attacks is simply a matter of mandating the use of unique passwords for every website or cloud resource.
2. Password Spraying
Unlike a credential stuffing attack, Password Spraying involves an attacker attempting to access many account usernames by rotating through a small list of common passwords such as 123456, password123, 1qaz2wsx, letmein, or batman, for each username. It is estimated that 16 percent of password attacks originate from password spraying attacks.
Phishing is a form of social engineering attack that attempts to fool users into clicking on a malicious URL to steal credentials by prompting them to log into a malicious website. Over 70 percent of all cybercrimes begin with phishing attacks via bad URLs distributed using email spamming, social media bots and SMS text messaging. Hackers commonly sell stolen user credentials on the darknet.
Keylogging attacks involve malware being installed on a victim’s computer or mobile device that first logs all user keystrokes, including their passwords, and then transmitting the information back to the attacker. The technique is effective for stealing credentials for online bank accounts, email accounts and secure websites. Keylogging attacks target known victims or victims of interest such as in cases of corporate or political espionage. Because strong passwords may not provide protection against keylogger attacks, enterprises should always implement two-factor (2FA) or multi-factor authentication (MFA).
5. Brute Force Attack
Online Brute Force Attacks attempt account logins with as many password combinations as possible using automated tools. This includes using “dumped” or downloaded username and password combinations. Brute forcing passwords can be complex, time-consuming, and expensive from a compute standpoint and is often used by criminals as well as governments. Tools such as “Aircrack-ng,” “John The Ripper,” or “DaveGrohl” are used for brute force attacks and can easily be found online for free.
6. Dictionary Attacks
Dictionary Attacks, a form of Brute Force attack, simply try every word in the dictionary and combinations thereof that can reach into the millions, as a password to gain access to a system. Automated tools can test an entire dictionary against a login in seconds to defeat the authentication protocols.
7. Rainbow Table Attack
Rainbow Table Attacks are commonly used for finding passwords or credit card numbers. Rainbow tables themselves are precomputed tables, such as listing the hashes of common passphrases that help reverse cryptographic hash functions and use less compute processing time and more storage than a brute-force attack. They allow hackers to acquire the hash of plain-text passwords with the goal of hashing as many as possible to find a match.
Many enterprise users unwittingly create passwords with words that are associated with the company itself or its products. Using this knowledge, hackers employ a technique called Spidering that works much like a traditional search engine to categorize and surface keywords, password-worthy words, or phrases with automated scraper bot software. Deploying Web Application Firewalls, Tarpitting techniques, IP Fingerprinting, User Behavior Analysis and Machine Learning can mitigate these web scraping Spidering attacks.
9. Secret Scanning Attacks
Developers may not always use best practices when managing system secrets and access credentials on code hosting and development sites. Credentials or tokens may mistakenly be saved in development repositories and can be exploited to access additional resources. Secret Scanning Attacks use automated tools to find and exploit mismanaged system secrets. In response, GitHub regularly scans repositories for known types of secrets to prevent fraudulent use of secrets accidentally left online.
10. S3 Bucket Scanning Attacks
Amazon S3 buckets are a common attack vector and must be monitored and managed to avoid data breaches. A typical data exfiltration attack involving an S3 bucket may start with a malicious attacker scanning GitHub for user credentials that developers sometimes leave on the site. Many free S3 scanning tools exist today that enable hackers to search for exposed buckets. Mitigating S3 Bucket Scanning Attacks includes managing Bucket Policies by setting conditional access permissions.
How to Mitigate Attacks that Exploit Passwords
Password security and attack mitigation best practices are an essential component of every IT security program. Using secure, unique passwords of at least eight characters, enabling two-factor or multi-factor authentication, and deploying Identity and Access Management (IAM) systems from major cloud providers and third-party vendors are all essential to not falling victim to the top tools and techniques that hackers employ for user credential exploitation.
By implementing strict password policies and IT controls as well as ensuring that security teams have a deep understanding of password attacks and are continuously practicing the security skills needed to thwart these attacks, organizations can reduce their chances of a data breach. RangeForce offers in-depth technical training modules that cover all 10 of these potential attack vectors for your security and IT professionals to learn in a simulation-based environment.
Click here to learn more about RangeForce and our extensive set of hands-on cyber skills training modules.