The rise of credential and identity attacks: Why they’re disruptive, devastating, and deceptively simple
Some of the most impactful cyberattacks this year weren’t just destructive, they were also surprisingly straightforward.
From attacks on critical infrastructure like power grids to major disruptions to communication systems, we’re seeing how rising geopolitical tensions can lead to escalating cyber threats. While we often imagine these types of cyberattacks as sophisticated operations involving complex algorithms, the biggest threat is usually something much simpler and all too human: our own credentials.
According to the Cybersecurity and Infrastructure Security Agency (CISA), more than half of attacks on government and critical infrastructure exploit valid credentials. In fact, stolen credentials are tied to 86% of security breaches involving web-based applications and platforms, which includes everything from online retail websites and email services to cloud storage and social media platforms.
The simplicity of credential stuffing
One technique, though far from new or innovative, is particularly popular: credential stuffing. This is where attackers take stolen usernames and passwords and use automated tools to try them out on different websites. Why does this work? Because of our tendency to prioritize convenience over security — most of us are reusing the same username and password over and over again.
Consider the case of genetic testing company 23andMe: In October, attackers executed a credential stuffing attack that affected roughly 6.9 million users. By exploiting reused login credentials from other, unrelated breaches, hackers were able to access user accounts and sensitive information including names, birth years, and genetic ancestry details. The hackers then posted the compromised data to BreachForums, a platform where cybercriminals share and sell stolen information.
While most people know that reusing passwords is a security risk, that’s not stopping them from doing so. According to LastPass, 62% of professionals still use the same password for multiple accounts. This behavior makes credential stuffing an attractive and effective access strategy for attackers — essentially, it’s cybersecurity’s low-hanging fruit.
You have a choice: buy expensive zero-days, find a brilliant hacker, or simply reuse credentials you’ve obtained from somewhere else.
“You have a choice: buy expensive zero-days, find a brilliant hacker, or simply reuse credentials you’ve obtained from somewhere else,” Field CISO Andy Schneider said.
And why not? For cybercriminals, it’s a no-brainer. Not only are credentials accessible, they’re inexpensive. Stolen credentials usually come from previous data breaches where databases containing usernames and passwords are compromised. Once in the hands of attackers, these credentials make their way to the dark web and other underground forums, where they are accessible to a broader range of cybercriminals for a relatively low cost.
Even Advanced Persistent Threat (APT) groups, notorious for their sophisticated cyber tactics, often begin with more cost-effective methods like credential reuse. They reserve their arsenal of expensive zero-day exploits for situations where simpler techniques fail to yield results.
The reach of credential stuffing extends even to massive corporations in all industries. This year, high-profile incidents at UnitedHealthcare and PayPal involved tens of thousands of compromised accounts. Even Norton LifeLock, a cybersecurity and identity protection company, fell victim to a credential attack that gave hackers access to customer password managers.
Phishing: Back to basics
Credential stuffing is just the tip of the iceberg when it comes to identity threats. Other popular attack techniques, like phishing and social engineering, also exploit our human nature and oversights in basic security measures.
Take phishing, for instance. It’s as old as the internet, but still manages to catch us off guard. Phishing attacks, often disguised as legitimate communications, trick individuals into revealing sensitive information, such as login credentials and personal data.
The idea behind phishing is ‘what pretext or what scam can I come up with to get you to interact with me to ultimately lead toward exfiltrating something?'
“The idea behind phishing is ‘what pretext or what scam can I come up with to get you to interact with me to ultimately lead toward exfiltrating something,’ whether it’s knowledge or your most precious credentials or something in between,” Teradata CISO Billy Spears said on the Code to Cloud podcast.
While phishing might be basic, Artificial Intelligence (AI) has the potential to make these attacks even harder to detect. “I think that AI definitely can enhance the attacks. AI can also help mitigate the risk of phishing. However, you’re gonna need a whole lot more data to really have high degrees of accuracy because remember, AI [consists of] models that push and pull from whatever sources that it’s getting its input from,” he said.
Cloud vs. user credential compromises
To understand the scale of a breach, it’s crucial to distinguish between two types of credential compromises: user credentials and cloud credentials. The implications of these compromises differ significantly in terms of potential damage and required response strategies.
When attackers successfully execute credential stuffing on individual user accounts, the impact, while significant, is generally confined to the compromised accounts. For instance, if a personal email account is compromised, the attacker might gain access to emails, contacts, and potentially leverage this for further phishing attacks. However, the damage is usually contained within the realm of that specific user’s data and privileges.
But a breach involving cloud credentials can have far-reaching and severe consequences. Cloud credentials often have higher levels of access, and attackers leveraging compromised cloud credentials could potentially escalate their privileges. This escalation allows them to access not just the data of a single user, but potentially the data of every user serviced by the cloud infrastructure. A compromised cloud credential can act as a master key, unlocking not just a single door, but an entire building of sensitive data and systems.
The danger of compromised access keys
According to our Lacework Labs team, one of the predominant methods attackers use to breach cloud environments is through leaked AWS access keys found in code repositories. This kind of exposure can occur when developers accidentally include sensitive keys in publicly accessible source code, a mistake that attackers are quick to exploit.
Once they obtain these keys, attackers can use them to gain unauthorized access to AWS resources. In some cases, they go a step further by creating login profiles. These profiles allow attackers to manually access the AWS management console, which provides even broader control over the cloud environment. From here, they can manipulate cloud resources, access sensitive data, or even create new instances for malicious purposes.
Is MFA the answer?
Many security leaders agree that the answer to identity and credential security is well-implemented basic practices, particularly, multi-factor authentication (MFA). “If you do the fundamentals right, be it for personal security hygiene or within an organization, you’re going to be mitigating the vast majority of the threats against you,” Upvest CSO Sebastien Jeanquier said on an episode of the Code to Cloud podcast. This includes implementing strong identity controls like passkeys and high-quality multi-factor MFA methods, he said.
If you do the fundamentals right, be it for personal security hygiene or within an organization, you're going to be mitigating the vast majority of the threats against you.
Lea Kissner, CISO here at Lacework, expects to see more phishing attacks until more people begin to use more phishing-resistant MFA like FIDO2, a set of technology standards aimed at reducing the reliance on passwords for online security.
How do we really protect our credentials?
So while MFA is a must, it’s only one piece of the puzzle. What we really need is to be prepared to both prevent and detect threats, which involves implementing smarter habits, and using technology to our advantage.
A big part of that is education. Educating users about the dangers of password reuse and promoting the use of secure password managers can dramatically reduce the vulnerability to such attacks. Strong, unique passwords for each account form a primary defense line against credential compromise.
But truly mastering identity security involves actively reducing it through automation and smart analytics.
“Just having an MFA check in the middle of the day, or at the beginning of the day, does not mean that your identity is now validated for the next 24 hours. We need to be looking at things like user behavior analytics. We need to be looking at things like adaptive authentication… all of those things. There is no silver bullet for identity,” Craig Riddell, Field CISO at Netwrix Corporation said on the Code to Cloud podcast.
Because identity threats are easy to miss, it’s important to actively monitor human and non-human activities in your environment to detect unusual behavior that may be a sign of an attack in progress. This is why companies are turning to security platforms that incorporate artificial intelligence and machine learning to understand user behavior and alert them quickly when something unusual happens.
Why Lacework is unique
Lacework is unique because it goes beyond cloud security platforms’ traditional playbook of supervised machine learning; instead, incorporating unsupervised models that can detect anomalies and threats without relying on predefined patterns.
By integrating diverse signals and behavioral patterns, our platform is equipped to identify complex threats, including both sophisticated external attacks and internal risks, which is critical when it comes to compromised credentials. Read our blog for a step-by-step account of how credential compromises can happen and how Lacework uses a unique data-driven approach to both prevent and detect active cyberattacks and stop hackers in their tracks.