Researchers with Outpost24 are reporting over 31,000 corporate credentials for many of the UK’s leading FTSE 100 firms on the dark web. These are the 100 biggest companies listed on the London Stock Exchange by market capitalization. The researchers used their threat monitoring and auditing tool Blueliv to search dark web sites for the breached credentials.
Key findings from stolen and leaked credentials study:
- The majority (81%) of the companies within the FTSE 100 had at least one credential compromised and exposed on the dark web
- 31,135 total stolen and leaked credentials detected for FTSE 100 companies, with 38% disclosed on the underground in the past 12 months
- Nearly half (42%) of FTSE 100 companies have more than 500 compromised credentials exposed on the dark web
- Up to 20% of credentials are stolen via malware infection and stealers
- 11% disclosed in the last 3 months (21% in the last 6 months and over 68% has been exposed for 12months+)
- Over 60% of stolen credentials came from 3 industries – IT/Telecom (23%), Energy and Utility (22%) and Finance (21%)
- IT/Telecoms industry is the most at risk with the highest total amount (7,303) and average stolen credentials per company (730), they are most affected by malware infection and have the most amount of stolen credentials disclosed in the last 3 months
- On average, healthcare has the highest number of stolen credentials per company (485) from data breach as they found themselves increasingly in the cybercriminals’ crosshairs since the pandemic
This is a serious breach. There are most likely identities that include users w/ privileged access – e.g. the ability to not only view their own email but company servers and other proprietary resources. A reset of all these identities is an immediate must. But most importantly, an identity review of all the access that these and other identities in the enterprise have must be reviewed. A recent Palo Alto Unit 42 study showed that 99% of enterprises have over-privileged their accounts in the enterprise. That means most likely these European firms will experience some data loss.
The first thing an attacker does, once they gain a foothold is to conduct lateral motion across the enterprise – to discover valued resources and then either exfiltrate or encrypt and ransom the data. Identities are the key to our cybersecurity and identity security starts by knowing who has what.
Hacking organizations are remarkably sophisticated in identifying targets that will pay the biggest ransomware and that have the most valuable assets to steal. The fact that credentials for almost everyone are seemingly readily available on the dark web is nothing new, but it is further evidence that organizations must adopt more sophisticated multifactor authentication methods and a zero trust approach to cybersecurity to protect themselves.
Credential theft (Identifying the target) is the first step of the kill chain also known as the F2T2EA military model which describes an integrated, end-to-end process akin to what a sophisticated threat actor uses to launch an attack and maximize damage. The best way to break the kill chain is to create disruptions at any stage along the \”chain” which can interrupt the entire attack process. From a cyber defense perspective, avoidance is better than remediation.
Organizations should consider passwordless authentication techniques such as FIDO2 along with a secure networking solution that obfuscates the infrastructure and sensitive endpoints. You can’t hack what you can’t see and making sensitive resources invisible to threat actors can enable the organization to be impervious to most attack vectors. Such techniques known as managed attribution are popular in the military and counterintelligence space and are now also available in the commercial domain.
Given the continuation of successful phishing attacks, there are several areas for organizations to focus on. Forcing the cycling of passwords is always helpful, but one of the easiest methods to implement is a form of MFA (Multi-Factor Authentication). This allows for a user to acknowledge they are in fact who they say they are with a secondary device. There are varying degrees of secure options for handling this secondary verification, the least secure being email, and most secure being a separate hardware token which has to be in the user’s possession to authenticate. However, this prevents an attacker from harvesting just credentials and being able to have an impact without some way to gather the secondary factors.
Additionally, there are a number of products coming to market which provide continuous authentication for users based upon biometric models built on keyboard and mouse interactions. These however, then produce privacy concerns with models being shipped or localized for use case. Users will always be the most susceptible part of any system to manipulation. It is imperative to help users not become liabilities while still allowing for high productivity.