Hey there Bay Area folks, we’ve all heard about the increasing cyber attacks, right? Let’s talk about a rising issue in our world of healthcare and cybersecurity: leaked credentials. These babies are on fire on the dark web, making it simpler than ever for unwelcome guests to break into accounts and generate online chaos. We’ll go into how this happens, and how to prevent such infiltration, all wrapped up in a friendly, Bay Area style!
So, leaked credentials seem to be the key to the kingdom for these cyber-bad guys. A report from Google Cloud claimed that almost 3% of cyber breaches were from leaked credentials usage. A different report from IBM stated a whopping 71% year-on-year rise in cyber attacks using stolen or compromised credentials. Basically, if your credentials are out there, they’re at risk.
Now let’s talk about a real-life incident that happened in early 2024, where a customer’s internal credentials found their way onto the dark web. This allowed a cyber crook to infiltrate the customer’s systems. They detected suspicious activity, but couldn’t curb the threat in time. The customer fell victim because their network didn’t have adequate protection to act against the fraudulent activity.
What does using leaked credentials look like, you ask? Well, the perpetrator uses the stolen account info to log into the Virtual Private Network (VPN), where they start engaging in suspicious activities, like searching and moving around the system. In this case, the intruder used a service account, which was a cinch because the customer’s service provider enabled the initial access.
An interesting thing happened on February 22nd, 2024. The infiltrated device looked like it was carrying out internal ‘network scanning’, connecting to multiple ports, including ports 80, 161, 389 and 445, to other devices inside the network.
Now here’s where it gets scary. They then attempted to log into a previously unused service account, which they could access since the service provider allowed Multi-Factor Authentication (MFA). This meant they could log in successfully and begin carrying out their unsavory plans.
But how do these cyber crooks do it, you ask? They brute-force it! That’s right. They use programs to try countless username/password combos until they finally hit the jackpot. Using leaked credentials just boosts their success rate astronomically.
Then, they explore the system. We call this “Share Enumeration”. Not even half an hour passed from the network scanning before they jumped in, using an account with elevated privileges to collect data. This gave them insights into the structures, configurations, permissions and more in the network.
The story doesn’t end there, they went a step further and utilized the Nmap network scanning tool for their malicious purpose. Even though this tool is usually employed for legitimate security purposes, the cyber thieves used it to find and potentially exploit network weaknesses.
They continued their lateral movement and network scanning, launching almost 900 SMB sessions, reading files from other connected devices, deleting files, making connections related to Active Directory Domain Enumeration, and more.
Fortunately, an alert from the security team halted the attack in its tracks. By detecting the intrusion, the security team quickly disabled the compromised user accounts and managed to stop the attack before it escalated.
So, bottom line, with stolen credentials flooding the dark web, these intruders certainly have it easier than before to perform their tasks. MFA and regular password changes may help, but they’re not enough on their own to fully block these cyber bandits.
What we need are smart systems, like AI, that can see these anomalies and respond to them beyond the standard protective measures. This is the reality of cybersecurity. And for us folks in the Bay Area, healthcare and cybersecurity aren’t just buzzwords. They’re about our safety, our livelihoods, and our connected world. Stay safe out there!
by Morgan Phisher | HEAL Security
