Recycling Credentials in Four Easy Steps
April 28th, 2020
Subscribe to our blog and stay up to date
Over the past two weeks, IntSights has released a report breaking down attacks that have emerged as a result of the COVID-19 pandemic and a blog on cybercriminals offering Zoom credentials in undergroud forums. As soon as the COVID-19 situation became a global health crisis, cybercriminals turned from hoaxes and scams to full blown cyberattacks including phishing, malware, ransomware and targeted attacks against remote workers.
IntSights researchers have obtained multiple databases, offered on several underground forums, that contain usernames and passwords to Zoom. An analysis of these databases reveals that they were created using credential stuffing attacks and old compromised databases. Here is what the attackers do:
1. Collection: The attacker collects databases containing compromised usernames and passwords. These databases can be found in various forums or black markets throughout the clear, deep and dark web. During analysis, our researchers found evidence that criminals were using databases dating back to 2013.
2. Preparation: The attacker writes a configuration file for a checker. There are many open source tools for stress testing applications; unfortunately, the same tools are also used for credential stuffing attacks. The attacker writes a configuration file for these tools, such as OpenBullet or SNIPR, that will test the credentials from the existing databases against their application of choice – in this case, Zoom. Below is an example of one of the checkers for Zoom credentials.
3. Attack: The attacker points the configured tool at the application and initiates the credential stuffing attack. To avoid detection, the attacker can use multiple bots (multiple login attempts from the same IP would be suspicious), use a lag between login attempts (to not DDoS the target and still look like legitimate login attempts) and utilize other techniques. If the targeted application does not require additional authentication (such as 2FA) or employs bot detection (such as captcha) the attacker will receive notifications of those credentials that successfully logged in. The attacker can also configure the credential stuffing attack to recover additional data once logged in – in Zoom’s case, this includes the full name, meeting URL, and host key.
4. Aftermath: The attacker collects all the credentials, bundles them as a new database and shares or sells them on a forum or black market.
Credential stuffing attacks are not the only means for creating an application specific credential database. The most common way to do so is by deploying phishing attacks. Cybercriminals have launched phishing campaigns targeting collaboration tools such as Webex.
An interesting development happened in one of the popular cybercrime forums. The administrator, following some of the recent news regarding Zoom attacks, decided to ban any user discussing or selling Zoom credentials and attacks.
This does not mean that the forum is a white hat channel, the same forum still offers many illegal goods and services. But, as of now, Zoom credentials or attacks are not welcome.
Credential stuffing attacks highlight an ongoing issue with passwords. Many people tend to find a strong password – one that contains eight or more characters and includes lowercase and uppercase letters, numbers and special symbols. The problem is it can be very challenging for users to remember many complex passwords. While password wallets can help with that problem, not everyone uses them. The result: people tend to use the same password on multiple sites and services. When one of these websites gets hacked the criminals can attempt to access additional victims’ account in other services using the same credentials.
This is also why it is crucial for organizations to collect this data and quickly act upon it. Once an employee’s credential is compromised it is imperative to make sure these credentials were not also used on corporate assets, such as active directory, and if they were – that they are blocked and changed immediately.
For more on the evolving threat landscape as the COVID-19 pandemic forces organizations around the world to operate remotely, read our report, The Cyber Threat Impact of COVID-19 to Global Business.
Etay Maor is Chief Security Officer at IntSights. As CSO, Etay leads the security advisory practice at IntSights where he works with CISOs and other senior cybersecurity executives to develop risk management-based cybersecurity programs. Etay has extensive experience in cybersecurity having worked at IBM, Trusteer, and RSA. Etay holds a BA in Computer Science and a MA in Counter Terrorism and Cyber Terrorism and is currently a professor at Boston College.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.