Mar 5, 2024 - Technology

Stolen passwords are a hacker goldmine now

Illustration of an infinite, recursive tunnel of laptops.

Illustration: Shoshana Gordon/Axios

Hackers increasingly rely on legitimate user accounts over malware to break into some of the biggest companies.

Why it matters: Finding someone's password or authentic browser session tokens is pretty easy on the dark web thanks to a growing dark-net market where hackers buy and sell information stolen from years of data breaches.

  • Hackers using stolen user accounts to exfiltrate data from a company's network can more easily disguise their activities — averting detection from traditional cyber monitoring tools.

Driving the news: CrowdStrike and IBM both released reports late last month detailing how malicious hackers are relying more on passwords in their schemes.

  • IBM's incident response team saw a 71% increase in the number of attacks relying on valid login credentials in 2023 compared with 2022.
  • The total number of advertisements from access brokers — who sell passwords, session tokens and other ways to break into a company — jumped nearly 20% in 2023 from the year before, CrowdStrike's report found.

What they're saying: "To see a 70-percent swing, that's an industry wake-up call," Charles Henderson, global head of IBM's X-Force threat intelligence team, told Axios.

  • "We've been saying for 20 years that, 'Hey, passwords are bad, we should be using multifactor authentication,' and you're seeing that come home to roost," he added.

The big picture: Stolen account sessions and legitimate passwords were the root cause of several high-profile attacks in 2023.

  • In November, hackers broke into Microsoft's networks via a password-spraying attack. They eventually gained access to top executives' inboxes.
  • Hackers used a similar technique to breach genetic testing company 23andMe in the fall and steal 6.9 million people's personal data.
  • Identity management companies like Okta and LastPass have become prime targets for hackers in recent years too.

Zoom in: Both government hacking teams and financially motivated cybercriminals are turning to login credentials and session tokens.

  • IBM noted that the LockBit ransomware gang has attempted to purchase source code for a popular infostealer — a type of malware that hackers use to steal login credentials and session tokens.
  • CrowdStrike found in its report that Russian military hackers had developed their own tools to mine login credentials from Yahoo Mail and other email providers.
  • Russian intelligence hackers also conducted a phishing campaign to collect multifactor authentication tokens from Microsoft 365 accounts, CrowdStrike noted.

The intrigue: The heightened reliance on login credentials has also prompted a wave of cloud intrusions, Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told Axios.

  • CrowdStrike saw a 75% increase in the number of cloud intrusions in 2023.
  • "A threat actor simply has to compromise the identity of a legitimate user and then move into the cloud environment," Meyers said.
  • From there, hackers can deploy malware or other tools directly from the cloud interface, he said, and the intruders look like legitimate users while doing so.

The bottom line: Implementing a zero-trust security framework inside a company can help to ensure hackers don't have access to privileged information once they break in, the reports advise.

  • Employees should also be mindful of how frequently they're reusing passwords across accounts.
Go deeper