The latest IBM® X-Force® Threat Intelligence Index 2024 focuses on a growing area of risk for organizations: the increasing preference of valid credentials as an initial access vector for cyber threat actors. Today, the exploitation of compromised accounts has become as prevalent as traditional phishing attacks, signaling a disturbing shift in the strategy of cybercriminals. This change underscores the critical need to protect login credentials and sensitive data, With the high levels of activity on the Dark Web markets, and a reported 266% increase in infostealer malware this year alone, the need for organizations to increase their defenses against credential compromise has never been more urgent.
IBM paints a picture of a highly interconnected ecosystem of cybercrime, where the sale of compromised credentials on the Dark Web and the deployment of malware designed to steal login credentials work in tandem. This ecosystem not only facilitates the spread of compromised accounts but also highlights the need for organizations to adopt proactive measures, such as monitoring the Dark Web for signs of their stolen credentials. Additionally, implementing and educating users on the importance of strong passwords can significantly reduce the risk of credential compromise and create a culture of cybersecurity in an organization.
The prevalence of compromised accounts requires security teams to adopt more sophisticated detection and response strategies. Incidents involving valid access through stolen credentials necessitate a nuanced approach, often demanding a greater investment of time and resources than other types of cyber attacks. The prolonged detection and recovery lifecycle of a data breach involving compromised credentials—sometimes extending to nearly a year—poses a significant challenge for organizations in identifying and mitigating threats.
The Strategic Shift in Cyber Attacks
Cyber attacks leveraging compromised accounts have now become as or more common than phishing attacks, with attackers finding it increasingly easier to exploit already compromised user credentials. The Dark Web is a popular hub in the trade of compromised credentials, with an alarming volume of user credentials for sale. This includes a vast array of login credentials, from cloud account information to sensitive data, making it easy for attackers to masquerade as legitimate users. This year alone, there was a reported 266% increase in malware designed to harvest personal identifiable information, feeding into the cycle of credential compromise and facilitating access to organizations’ networks.
The IBM X-Force report further sheds light on a critical and often overlooked risk: third-party data breaches. These incidents reveal a chain of vulnerability that starts with the initial compromise of an employee’s reused work credentials on an external, third-party website. Such sites, once breached, become the source of stolen credentials that find their way onto the Dark Web. This not only puts the individual’s personal data at risk but also jeopardizes the security of organizational networks and sensitive information.
“In this era, the focus has shifted towards logging in rather than hacking in, highlighting the relative ease of acquiring credentials compared to exploiting vulnerabilities or executing phishing campaigns.”
-IBM X-Force Threat Intelligence Index 2024, pg 3
The Challenge for Security Teams
The year-over-year data presents a striking 71% increase in the volume of attacks leveraging valid credentials, marking a pivotal moment in cybercrime strategy. For the first time, the abuse of valid accounts has emerged as the most common method for cybercriminals to infiltrate victim environments, accounting for 30% of all incidents responded to by X-Force in 2023. This shift underscores the escalating risk posed by compromised credentials, as attackers increasingly bypass traditional security defenses by masquerading as legitimate users.
Conversely, here was an 11.5% drop in enterprise ransomware incidents, even though it remained a significant concern as the most common subtype of malware deployed on victim networks. This decline reflects a growing resilience among larger organizations, which are increasingly successful in intercepting attacks before deployment can occur. Moreover, a strategic pivot away from paying ransoms and towards rebuilding compromised systems suggests a diminishing profitability for attackers relying on encryption-based extortion. With the prevalence of compromised credentials for sale on the Dark Web, many cyberattackers find they can gain access into an organization simply by logging in.
Additionally, we are seeing a rise in data theft and leak incidents, which have become the most common impact for organizations, found in 32% of cases. This trend indicates a strategic shift among cybercriminal groups towards methods that offer direct financial gains through the unauthorized access and sale of sensitive information.
Infostealers: A Growing Concern
The Threat Intelligence Index 2024 has found a significant surge in the deployment of infostealers. With an astonishing 266% upsurge in infostealer-related activities in 2023 compared to the previous year, the community is witnessing a strategic pivot among threat actors. Previously known for their focus on ransomware, these groups are now increasingly turning their attention towards infostealers, with notable new entrants like Rhadamanthys, LummaC2, and StrelaStealer marking their presence with heightened activity.
This shift towards infostealer malware is not just a diversification of tactics but signals a deeper reevaluation of attack strategies, placing a premium on credentials as a key vector for initial access. The adoption of infostealers, often available on the criminal underground as malware-as-a-service, facilitates a broad spectrum of fraudulent activities, from direct financial theft to laying the groundwork for more complex attacks on enterprises by securing initial access through stolen credentials.
The rise of infostealers corresponds with an increasing sophistication in malware delivery methods. Beyond traditional vectors like email, threat actors are now exploiting malvertising through fraudulent Google and Bing ads, deploying fake software downloads that carry infostealers and backdoors, potentially leading to ransomware attacks.
Moreover, the deployment of complex execution chains and the use of living off the land tools compound the challenge for cybersecurity defenses, making detection more difficult for analysts and technologies alike. The credentials obtained through these methods are often trafficked on the Dark Web and end up perpetuating the cycle.
The report also notes a significant rise in “Kerberoasting,” a tactic targeting the compromise of Microsoft Windows Active Directory credentials. This method exemplifies the sophisticated techniques being used to acquire sensitive credentials, further complicating the landscape for security teams.
The Bottom Line
The IBM X-Force Threat Intelligence Index 2024 brings to the forefront the issue of compromised credentials and their role in facilitating unauthorized access to user accounts. While it’s reassuring that ransomware attacks are becoming less of a risk in organizations, this trend of cybercriminals exploiting stolen credentials to execute data breaches highlights a crucial vulnerability within organizations. The rise in compromised accounts reinforces the need for enhanced security measures, including compromised password screening and robust password policies. Understanding and mitigating the risks will be key to protecting sensitive data and maintaining a secure environment.