Updates from Enzoic’s Threat Research Team
As the year’s end approaches, we’ve been taking a moment to review the changes and trends in the cybersecurity landscape over the past twelve months. It’s been a banner year to be a compromised credential data collector- which means a lot of work if you’re a cybersecurity professional, or a lot of money if you’re a cybercriminal. Unfortunately, the compromised credential market is better than ever, thanks to infostealer malware, data breaches, and the uncontested popularity of compromised credentials as an entry vector for many types of attacks across many types of attack surfaces.
Cybercrime often carries the popular perception of complex programming conducted by misanthropic, hoodie-wearing geniuses, or teams of foreign adversaries with futuristic equipment. While there certainly are brilliant criminal programmers out there, the reality of most cybercrime is closer to the small-time opportunism of checking car doors, shoplifting, or classic street scams. But compromised credentials remain one of the top entry vectors for a wide array of cyber attacks, and despite the simplicity, users and organizations aren’t doing much to stop them. While we as users bear responsibility for our password choices, we also need to demand better security practices and services from the corporations and service providers we use online. If it’s cheaper to absorb the costs of fraud than to pay for password monitoring, most companies won’t think twice before putting profits over people.
Google has shown themselves to be a leader in user protection by screening passwords saved in the Chrome browser against databases of compromised credentials, and alerting users directly if their information was found in a breach. Imagine if your bank, streaming video services, and email providers all did this too. Perhaps we could finally make a dent in the 9 trillion dollars that cybercrime is projected to cost the world this year. Because really, we the users and consumers are the ones who ultimately pay the price, some directly through theft and victimization, and some indirectly through the increased costs of products and services as organizations absorb the costs of fraud and higher insurance premiums.
The exact numbers aren’t in yet- we still have another couple weeks in December, and analyzing and reporting on the year’s events will undoubtedly take a while. But we can take a look at a few data points, and discuss some of the issues that we will continue to confront in 2025.
First up, healthcare. The health industry has found itself both targeted by and susceptible to cybercrime- from the criminal’s perspective, it’s a lucrative venture: hospitals and providers collect huge amounts of personal data that can be stolen for the purposes of fraud, identity theft, and phishing. Hospitals are also susceptible in that they deal with highly urgent problems, and thus can be induced to quickly pay exorbitant amounts when infected with ransomware in order to resume normal operations as quickly as possible. Who can blame them? Unfortunately, this willingness to pay has made them notoriously profitable victims for ransomware operations.
At this point, nearly everyone in the US has probably been affected in some way by a health data breach, whether they know it or not. The US Department of Health and Human Services is required to post a list of all breaches of protected health information that have affected 500 or more people. So far in 2024 alone, that’s 474 breaches caused by “Hacking/IT”, affecting 153,395,773 people. Many others were affected in the Change Healthcare breach back in February, which was attributed to compromised credentials. It affected millions of people’s ability to get their prescription medication, and earned cybercriminals a cool $22 million in ransom money.
Next up, infostealers. Their prevalence has been increasing for a while now, and it’s fueling an absolutely incandescent compromised credential trade. The 2024 IBM XForce Threat Intelligence Report says that use of infostealers increased 266% in 2023, and given the data volumes we’ve seen during 2024, we’re likely on track for an even larger increase this past year. We’ve written about why infostealers are particularly dangerous before, and the cybercriminal feeding frenzy for this data confirms it. It probably bears repeating- even if you’re not personally infected with an infostealer, your and your organization’s risk is elevated as well. Password re-use is extremely common, and the chances are pretty good that someone, say, at your company uses the same password for work-related things as they do on their infostealer-infected home computer (or saved work-related passwords on their personal computer). Since all it takes is one account for a cybercriminal to gain access, the odds are pretty strong in their favor, and threat actors have plenty of tools to automate credential stuffing attacks. Also, the chances are high that someone out there has used the same password you are (unless you use randomized passwords for each account), and this means that threat actors may be able to guess your password more easily, or ‘crack’ it if they gain access to the password hashes stored in an authentication database.
A main reason for infostealers’ success is likely rooted in the malware-as-a-service model, much like the widespread success of SaaS in the legitimate software market. This makes the malware accessible to a huge range of threat actors with a wide variety of technical abilities, so the actual dissemination of the malware becomes a highly varied and distributed effort that doesn’t take any single form. The developers of infostealers also include features that can disable certain anti-malware protections like Windows Defender, and constantly release new versions that may not be caught by even the latest antivirus definitions. In short, fast evolution, and a distributed diverse deployment model make these adaptable and incisive pieces of malware.
There’s certainly much more to talk about in a cybersecurity retrospective- the various state-backed threat actors, cyberattacks against US water infrastructure, the ‘Snowflake’ breaches, supply chain attacks…the list goes on. But we’ll wrap up here by just touching on something that I’ve had a few questions about over the past year- quantum computing. While it’s not a consumer reality yet, or likely very close, awareness seems to be growing, and with it concerns about cybersecurity. It is true that our experience of the internet and its myriad services are reliant on classic encryption schemes like RSA and elliptic curve cryptography, which could be rendered obsolete by the availability of quantum computers. However, scientists, mathematicians, and researchers have been working on this problem for a while, and post-quantum cryptography (PQC) algorithms have already been rolled out for some major platforms, like Apple’s iMessage, and the messaging app Signal. Quantum computing will undoubtedly bring with it some security challenges, but in the approaching new year, compromised credentials will remain one of the most pressing threats to our cybersecurity.