Detecting Credential Stuffing Attacks and Lateral Movement

Logins are a necessity. Our usernames and passwords help us get our work done, shop, and connect with friends and family. Unfortunately, login credentials frequently get stolen. In 2019, there were billions of credentials exposed in data breaches. Stolen credentials are fueling the underground economy and enabling credential stuffing attacks. I personally have had my credentials stolen from doing business with over 20 different organizations.  I’ve just come to accept it’s a way of life and have set up measures to protect myself and my family.  

What is credential stuffing?

Credential stuffing is a form of a brute force attack. It’s a favorite among attackers as it takes little effort for a potentially big payoff. Cybercriminals usually get access to stolen login credentials by purchasing a list from the dark web. They then use the stolen information for illicit activities, including account takeovers, phishing, spam and even crypto mining.

Counting on users reusing usernames and passwords, attackers will use bots and automated logins to test the stolen credentials against several websites to gain access. Recently, attackers used a combination of an account checker bot and breached data to identify and take over vulnerable Nintendo user accounts. Similarly, cybercriminals used credential stuffing bots to steal about half a million Zoom user accounts, which were then sold on a dark web forum.

In the case of a recent GE security incident, current and former employees and beneficiaries’ credentials and sensitive information (including driver licenses and passports) were exposed by a data breach at Canon Business Process Services, a third-party service provider for GE. While GE and Canon haven’t disclosed details related to how the breach occurred, the information provided seems to indicate that it likely was accomplished using a standard credential phishing attack or due to credential reuse on another site.

Nation-state attacks usually involve stolen credentials as well. State-sponsored Russian hackers were recently responsible for taking users’ login credentials after they breached two San Francisco International Airport websites. In this case, the targeted information was not the visitor’s credentials to the compromised websites, but the visitors’ Windows credentials.

Credential stuffing and lateral movement

Credential stuffing provides attackers with the means to impersonate valid users, making it easy for them to execute lateral movement attacks. Lateral movement refers to techniques cyber attackers use to progressively move through a network, searching for targeted critical data, gaining advanced user privileges and exfiltrating protected assets. Attackers perform reconnaissance to find weaknesses and search for targeted data, including financial and personally identifiable information (PII) and use stolen credentials to elevate their privileges.

Attackers aren’t concerned with being detected, as mimicking user identities is extremely difficult for administrators to catch. Also, most organizations don’t have the staff, tools, or bandwidth to detect unusual activities among users. Lateral movement combined with account switching (using a different account when targeting a different host) is even more challenging to detect.  Without the advantage of machine learning, malicious activity by attackers can be overlooked. For example, humans will likely not realize that suspicious activity by one user identified as an HR manager and activity by an administrator are two separate pieces of the same attack in the network. Without the understanding that both activities are related, as the attacker posing as the HR manager has elevated administrative privileges, security analysts will miss the correlation, and their response will most likely be incomplete. Legacy SIEMs will fire an alert based upon a correlation rule (static rule) for each event, but without context, the system, as well as the analyst, does not know to “tie them together.” Analysts who rely on this alert based workflow are oblivious to the work that is being done right under their noses.  

Credential stuffing attackers often hide their tracks, further complicating detection. In the case of the Zoom breach, attackers used multiple bots to avoid the same IP address being spotted checking multiple Zoom accounts. A credential stuffing attack can also mimic the geographic information of users trying to log in legitimately. For example, if an organization has employees working remotely from a different country, the attacker can make it look as if the logins are coming from that country. 

How UEBA detects credential stuffing and lateral movements

User entity and behavior analytics or UEBA can identify a legitimate user account exhibiting anomalous behavior by using behavioral profiling and analysis to provide insights. It uses automated detection of anomalies to alert security teams about suspicious behavior, by comparing users to their normal behavior or the behavior of their peers (e.g., individuals in the same department), or by comparing IT systems and networks to their normal behavior.

UEBA can also view multiple systems as a whole and identify the anomalous activity as it moves laterally across the network. UEBA stitches together both normal and abnormal behavior for every user, machine, and asset on a network. It automatically baselines normal behavior, so it becomes easy to detect deviations. Previously, we noted that legacy SIEM solutions could not tie together what appeared to be two separate pieces of the same credential stuffing attack. With UEBA, the events that previously appeared to be isolated events are immediately visible to the analyst as a single attack campaign.

How to protect yourself from credential stuffing

To help organizations protect themselves and their users from credential stuffing attacks and account takeovers, SpyCloud offers the following advice:

1. Educate users about security hygiene, including password security.
2. Align with password security guidelines from the National Institute of Standards and Technology (NIST).
3. Constantly monitor user credentials for weak or stolen passwords (including employees, consumers, and third parties).
4. Enforce the use of multifactor authentication (MFA) everywhere.

In addition to the measures proposed by SpyCloud, organizations can use tools such as captcha to differentiate real users from credential stuffing bots.

As credential stuffing is easy for cybercriminals to perform, its popularity continues to grow. Organizations need to take these preventive measures and continuously monitor user behavior monitoring using UEBA capabilities such as those from Exabeam. To learn more read our white paper “Detecting Compromised User Credentials.”  

Look out for our next post on the future of credentials and passwords.