Data breaches have become a daily occurrence, and many of these breaches leak login credentials. These breached credentials pose a serious threat to organizations implementing remote access via enterprise VPN solutions.
Inside the Five Stages of Credential Abuse
When login credentials are breached, it makes sense that they will be used in future attacks. A recent study outlines just how this exploitation of compromised accounts occurs and the five stages of the abuse of leaked credentials.
#1. Targeted Usage. When a cybercriminal steals credentials from an organization, they will first use these credentials for themselves. Before any data breaches become public knowledge, it is likely that the original attacker will use the compromised data in stealthy attacks. Usually, the purpose of this use is to gain access to new systems and networks or expand permissions or access on already compromised systems.
#2. Community Sharing. After the initial attacker is done with the compromised credentials, they are released to the community. This may mean that the credentials are freely shared with other cybercriminals or posted for sale on Dark Web marketplaces. This community spread means that organizations affected by the breach experience a surge in credential stuffing attacks. In many cases, this increase in very visible attacks is how the initial data breach is discovered.
#3. Script Kiddie Surge. Once the breach of the credentials becomes publicly known, less skilled cybercriminals (i.e. script kiddies) hear of it and get involved. This involves the use of existing tools for performing credential stuffing attacks, further increasing their volume. This stage of the attack is what often causes the most damage and expense to the targeted organizations. Script kiddies have little hacking skill, which means that they are more likely to accidentally break something while performing their attacks. Additionally, these attacks are often very visible, meaning that, if they succeed, the targets will need to report them to regulators and be liable for penalties.
#4. Long Tail. After the script kiddies stage, the set of compromised credentials has little value because almost every account that can be compromised using them likely has been already. However, cybercriminals may still continue using them sporadically within their attacks and periodically achieve success.
#5. Repackaging and Reuse. Periodically, cybercriminals will repackage the credentials exposed in multiple data breaches into a single “collection”. These collections often cause a resurgence of interest in the credentials compromised in the initial breach as the entire dataset is used in credential stuffing attacks. In some cases, this may cause organizations that were not affected by earlier stages of the attack to be compromised. It is theorized that the recent Oldsmar water treatment plant hack was inspired by the release of a collection of compromised credentials that included ones from the water treatment plant exposed in an earlier breach.
Enterprise VPNs are Vulnerable to Breached Credentials
The potential impact of credential breaches has grown significantly as organizations have become more reliant on cloud-based infrastructure and supportive of remote work. In the past, an attacker had limited opportunities to test compromised credentials to determine if they provided access to a user’s accounts. Now, login portals are everywhere, providing numerous targets for credential stuffing attacks.
With the rise of telework in the wake of COVID-19, some of these targets are “critical infrastructure” for businesses. The ability to support remote work is crucial for businesses to continue operating through the pandemic, and this means that employees need to be able to log in and access corporate resources from anywhere.
However, while remote access solutions are vital for the modern business, VPNs provide this access in a way that places the company and its employees at risk. VPNs have a number of features that make them uniquely vulnerable to attacks using breached credentials, including:
- Limited Access Control: A VPN requires a user to sign in and then provides complete access to the corporate network. With unrestricted access to corporate resources, cybercriminals leveraging compromised credentials can pose a significant threat to enterprise cybersecurity.
- Lack of Integrated Security: VPNs are designed solely to provide an encrypted connection between the remote worker and the enterprise network. The lack of any integrated security means that these solutions cannot use behavioral analytics or other solutions to identify compromised accounts or malicious content on VPN connections.
- Centralized Access Point: VPNs typically have a single endpoint on the enterprise network with limited scalability. When faced with a credential stuffing attack (especially unsophisticated ones carried out by script kiddies), it is likely that this system will be overwhelmed, denying access to legitimate users.
Deploying Truly Secure Remote Access Solutions
Data breaches and compromised credentials are problems that are unlikely to go away any time soon. Organizations need to deploy secure remote access solutions that can stand up to the threats posed by credential breaches and that integrate zero trust network access (ZTNA) functionality to protect enterprise systems and customer data from compromised accounts.