It has been reported that cyber-criminals are increasingly hijacking home IP addresses to hide credential stuffing activity and increase their chances of success, the FBI has warned. Credential stuffing is a popular method of account takeover whereby attackers use large lists of breached username/password ‘combos’ and try them across numerous sites and apps simultaneously to see if they work. As many individuals reuse their credentials, they often do.
The full story can be found here: https://www.infosecurity-magazine.com/news/fbi-beware-residential-ips/
Zeppelin ransomware, a fairly well-known malware strain has been in known use since 2019, often to target a wide range of businesses and critical infrastructure organisations. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.
Zeppelin’s unique attack path is such that the FBI have observed the attackers executing the malware multiple times in the network, leaving a great big sting on the victim, who needs multiple unique decryption keys to combat the attack.
Attacks on hybrid working companies are nothing new, however it is crucial that employees remember they play a part in protecting themselves and the employer, too.
Attacks from vectors such as Zeppelin often start with a simple phishing email – employers must ensure they educate and remind their employees on cyber security best practices, to minimise attack risk. Standard, good cyber hygiene practice is essential here: remembering to regularly change passwords and use MFA as a basic practice. That said, if a threat actor wants to find their way in, they will! What matters is the data they were able to obtain and leave with…
Most cybercriminal gangs aim for extortion – organisations should also consider anti-data exfiltration to block the attacker and prevent data from being exfiltrated.
In the past, attackers launched credential stuffing attacks from servers hosted in data centers, such as Amazon AWS or DigitalOcean. Websites and apps got wise to this practice and started blacklisting connections from a range of data center IP addresses. This caused attackers to encounter more CAPTCHAs or get locked out entirely, slowing or stopping credential stuffing attacks. In response, attackers are now hijacking compromised devices in people’s homes to launch attacks, such as routers and IoT devices. A residential IP address from someone’s home is much less likely to be blacklisted than a data center IP address.
Home users should immediately change their router’s administrator password to a secure password, while also changing the default administrator username to a less “guessable” username when possible. The router’s firmware should also be updated to the latest version to plug any security holes that might have been discovered since the previous version. To avoid being a victim of the “stuffing attacks” performed by hackers through home IPs, users should ensure that their usernames and passwords are secure and unique on every website and app login. This will prevent stuffing attacks from being successful where their accounts are concerned.