Cyber attackers are coming up with more convincing ways to steal user credentials, according to the latest quarterly cyber threat report from security firm Rapid7.
Credential theft, reuse and subsequent suspicious logins are the most commonly reported significant incidents across both small and large organisations, the report said.
Adversaries can gain remote access by using legitimate credentials to log in to third-party services such as Dropbox, Microsoft Office365, DocuSign, and a variety of other services that organistions use regularly for business operations, the report warns.
These credentials can be exposed in several different ways, including guessing, brute-force attacks, credential leaks or phishing campaigns designed to trick users into entering their credentials.
“Once credentials are obtained, an adversary could then log in to the service as if they were the user. In some cases the login activity would be flagged as malicious if it comes from a suspicious location, such as foreign countries that the organisation does not do business in, but stealthy adversaries will find ways to blend in with normal login traffic, making it harder to identify their activity,” the report said.
Data shows that adversaries attempted to steal credentials from employees at larger organisations at nearly three times the rate of smaller organisations, but much of that is likely due to the number of employees available to target, the report said.
Attacks exploiting SMB vulnerabilities continue to define the “new normal” level of background malicious behaviour around Windows networking, the report said, while attacks exploiting SMI vulnerabilities are shaping this relatively new attack vector targeting core router infrastructure.
The report underlines the importance of not exposing SMI (port 4785) on the public internet. In reality, the report said, organisations should expose port 4785 only on an internal, isolated network management subnet, if at all.
Industry attack trends
In terms of industry cyber attack trends, the report shows a continuing trend away from a primary focus on financial, professional and administrative industries during the first quarter, as adversaries look to other industries with valuable data, with a large increase in activity against the healthcare sector, making it the top-targeted industry for the period.
Healthcare also holds a great deal of sensitive data, both financial and personally identifiable information, that attackers have clearly shown they are interested in stealing, the report said.
The healthcare sector has been a desirable target for adversaries for some time, the report said, with attacks increasing since at least 2015. Attackers are exploiting complex, distributed IT infrastructures with difficult-to-patch legacy systems and proprietary medical devices, which make them difficult to secure quickly.
Healthcare systems also typically rely on system availability to keep operations running, and adversaries have frequently targeted that availability using tactics such as ransomware or telephonic denial of service attacks to overwhelm critical phone lines, the report said.
In addition to healthcare, the report said there was an increase in cyber attack activity against construction, manufacturing and wholesale business operations, but data shows that adversaries are currently focusing heavily on only a few attack vectors against these industries.
Although threat movement and remote entry remained the top incident types, the report said the first quarter of 2018 saw a large increase in dangerous user behaviour. This includes users visiting malicious sites or installing and running questionable software, especially in large organisations, where dangerous user behaviour accounted for 35% of incidents in the quarter, up from 12% the previous year.
While dangerous user behaviour increased this quarter across all organisations, the report said remote entry attempts went down for larger organisations and increased for smaller organisations.
In the first quarter of 2018, the report said, there were several vulnerabilities disclosed that allowed remote access, including Cisco Smart Install; several campaigns targeting exposed systems, such as GoScanSSH; and the continued use of EternalBlue, which exploits SMB vulnerabilities, in ransomware campaigns.
“It is critical that all organisations, both large and small, identify exposed systems to ensure that they are up to date on patches and close any ports unnecessary for normal production activities,” the report said.
The top four significant incident types in the first quarter, the report lists as suspicious logins, phishing, malware on system, and illicit cryptocurrency mining.
The significant number of suspicious logins correlates to the large number of remote entry alerts identified throughout the quarter, and also ties in to the second-highest threat identified: phishing, the report said.
The majority of phishing in the quarter involved sending user to sites mimicking authentication sites that are designed to steal a user’s credential, subsequently enabling attackers to log in to the network.
In the light of the report’s findings, Rapid7 researchers recommend that organisations:
- Keep track of normal user behaviour to prevent credential-based breaches;
- Check that they are not contributing to the arsenals of memcached servers that can be used in DDoS attacks;
- Ensure that both inbound and outbound connection attempts to port 445 are blocked at least at the perimeter, and ideally, anywhere else where Windows networking is not required to cross network segments to block SMB attacks;
- Reduce the likelihood of Cisco Smart Install (SMI) attacks by blocking any access to port 4785.