The Verizon 2022 Data Breach Investigations Report revealed that an alarming percentage of attacks last year were caused by threat actors using a very simple tool: stolen credentials.
While a rise in ransomware was the spotlight of the 15th annual report, enterprises also struggled with securing credentials and exposed web applications, as well as patching vulnerabilities and properly configuring security controls. Those common mistakes led to big consequences.
One commonality among the more than 20,000 security incidents and 5,212 confirmed data breaches was the use of stolen credentials, which accounted for nearly 50% of attacks and was present in third-party breaches, phishing attacks, basic web application attacks (BWAA) and system intrusions.
“There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the past four years,” the DBIR read.
Though it’s difficult to know exactly where a breach started, Alex Pinto, team manager at Verizon DBIR, told SearchSecurity that focusing on credentials as an initial vector can be helpful. Keeping track of stolen credentials, however, is less straightforward. One example Pinto provided was a phishing attack where the attacker obtained a credential but did not use it immediately.
“Which of course makes people forget that there was a successful phishing, or they didn’t see it, more likely because [the threat actor] didn’t change the password. Those passwords become available for use later,” Pinto said.
Protect exposed instances
The tactic of using stolen credentials was particularly persistent in BWAA, which the DBIR team defined as an actor “directly” targeting exposed instances, such as web servers and email servers. They also referred to it as a “low-cost, high-pay-off strategy,” which is attractive to an array of attackers.
That might account for why more than 80% of the breaches in that category were attributed to stolen credentials and why it remains a problem today. One recent example occurred this month when DeadBolt ransomware operators targeted QNAP’s exposed network-attached storage devices.
Another danger highlighted in the report is the lack of additional actions threat actors need to take once initial compromise of a web app is successful. Because of that, the DBIR team referred to web app attacks as a “get in, get the data and get out” pattern.
Pinto said the use of stolen credentials is almost exclusively the vector for these types of attacks, and if an enterprise suffers from a BWAA, it should definitely make securing credentials a top priority.
“It’s not that someone has a zero-day [vulnerability] from Microsoft. You can only really get in with a credential,” he said.
This method might even be popular among nation-state actors, based on more than 20% of BWAA breaches being attributed to cyberespionage campaigns, according to the report. “If the front door has a weak lock there is no reason to develop a complicated polymorphic backdoor with a fast flux network of C2 servers,” the report said.
However, the vast majority of web app attacks were financially motivated. Threat actors also leveraged exploited vulnerabilities to gain initial access prior to a web application attack, though it was a small percentage compared with the use of stolen credentials.
Window of exposure closing in on flaws
The Verizon DBIR also highlighted a rise in vulnerability exploitation in 2021. The report noted that exploit vulnerability, which the DBIR team classified as an action variety, had both highs and lows last year.
“The action variety of Exploit vulnerability is up to 7% of breaches this year, doubling from last year,” the DBIR read.
Pinto attributed the rise to threat actors’ increased level of automation, which he referred to as “scary.” One way to minimize the risk is to secure open ports, as actors initiate this attack by scanning for them, as well as to block potentially malicious IPs.
“Within hours of a vulnerability being published, or a CVE being public, you’ll have some bots going through figuring out if the port is open, and then another one will try and see the version of the software that’s vulnerable, and the third goes there and tries to exploit the vulnerability,” Pinto said. “The turnaround is quick.”
On the other hand, the report offered some positive news: The DBIR team said vulnerability remediation speed and completeness has increased over the last six years. “We’re patching more and we’re patching faster,” the DBIR read.
One area that has not shown much improvement is misconfigurations, particularly related to cloud instances. Verizon noted that in 2015, the majority of user errors were classified as misdelivery of media assets, such as sensitive documents, while misconfigurations only accounted for less than 10% of breaches. But that breakdown began to shift more recently.
“The rise of the Misconfiguration error began in 2018 and was largely driven by cloud data store implementations that were stood up without appropriate access controls,” the DBIR read. “Despite the efforts of the major cloud providers to make the default configurations more secure (which we applaud), these errors persist.”
In 2021, misconfigurations and misdeliveries accounted for roughly the same percentage of breaches at approximately 40%. Nearly all of the 715 incidents analyzed by the DBIR team were confirmed to involve data exposure, most often personal data.
Securing the supply chain
Another top takeaway for Pinto was related to the SolarWinds breach in 2020 that affected high-profile victims including government entities. The attack, which took advantage of the common recommended security measure of updating software, was a cautionary tale of supply chain risks.
Pinto said that one big change in the 2022 DBIR was mostly due to SolarWinds and the deluge of incidents entered into the database from organizations that suffered an incident but not a full-blown data breach.
“It means that a very large number, 61% of system intrusion instances we had, stemmed from supply chain breaches. But actually, it was just from one supply chain breach: SolarWinds,” Pinto said.
The level of threat actor automation Pinto mentioned was also present in the SolarWinds attack, where backdoors were hidden in automatic updates for Orion IT management software.
“There was a lot of fallout from the SolarWinds breach where thousands of companies had a specific botnet callback installed on their environment from the update that was tampered with. These things were beaconing out, and if you didn’t do a good job of limiting access to your servers, there was potentially a way that threat actors could get in,” Pinto said.
While one significant supply chain attack affected the data of the Verizon 2022 DBIR, Pinto said they did not observe anything that suggests an overall increase in these types of supply chain attacks. The DBIR team did not see many attacks outside of SolarWinds, which Pinto took as a sign that organizations are taking the threat seriously. There’s increased pressure on vendors, he said, to improve work around securing their own estate and how it extends to third parties.
It is an area that the DBIR team will keep an eye on, Pinto said.
“We want to be able to tell over the years, now that it is on the forefront and there are real-life impacts that were proven by the SolarWinds attacks, that this is very much a thing people should be tracking and people should be concerned about,” he said. “We want to make sure if a shift happens, if it becomes really popular, then it’s something we can highlight for the future.”