Many of us are fond of collecting things, but not everyone is excited about Collections #1-5. In 2019, these Collections, composed of ca. 932 GB of data containing billions of email addresses and their passwords, made their way around the Internet. These collections weren’t breaches but compilations of emails and passwords that had been gathered. Even after repeat entries were whittled down, the collection still contained billions of distinct address and password combinations.
While it’s impossible to tell exactly where they all came from, some of the larger known data sets in these enormous files came from the Dropbox (2016), LinkedIn (2012), Yahoo! (2013/2014), and Adobe (2013) breaches.
Why should we pay attention to these and other breaches, especially when the passwords are hashed? Can’t one just reset the password and be done with it? Resetting passwords is not the issue. The problem is when the same password is associated with more than one account. Password reuse makes credential stuffing different from brute force – the criminal has a set of already-breached credentials and doesn’t have to guess at the password. Using rainbow or hash tables, criminals can determine the hash of the password. Attackers also know that many people reuse their passwords. The danger is not just accessing someone’s account; it’s being able to access other valuable personal accounts that use the same credentials.
5 Stages of an Attack
Michael Isbitski with Salt Security presents a great overview of credential stuffing including its stages. Here’s a summary of my own version of the five stages.
In this stage, the criminals gather credentials. These might have been gained from breaches they conducted themselves, from collections bought online, or just downloaded from one or more sets of publicly available repositories. Additional items gathered during this stage are APIs, URLs, domain names, and other Internet-facing resources (e.g., web servers). An important aspect of security and IT is knowing that the tools that make our job easier can also make life easier for criminals. Maltego, Shodan, Kali, et al. are used by all.
The attackers collate the inputs and prepare the tools for their invasion. “Automate all the things” is a common phrase not lost on the attackers. Bad guys calculate budgets and ROI, too. Whether scripting their own tools or using commercial tools, the utilities automate account and vulnerability discovery, helping the attackers search for sites, domains, and any other endpoints that could be vulnerable.
Tool selection and configuration could include the ability to evade various defenses (e.g., CAPTCHA), hide or spoof the origin address, or otherwise craft the method of attack based on the target’s defenses (e.g., control the timing based on rate limiting). This is the stage when the attacker designs something similar to a botnet – valid proxy services, multiple locations of the tool, and bots that will spread the attack load. This achieves two goals. First, it fools defenses that are monitoring for lots of traffic originating from a single IP or a narrow range of addresses. Second, it accelerates the attack. Read more: https://bit.ly/3qmA0lI