Why stolen credentials continue to work even where MFA is in place
For many organizations, compromised usernames and passwords feel like yesterday’s problem. Multifactor authentication is standard, security training is routine, and credential theft is often seen as a low-priority risk. Yet this confidence is increasingly out of step with how attackers operate today.
A large portion of today’s credential abuse begins with infostealer malware. These programs silently gather much more than just login credentials from infected computers.
Data from browsing histories, autofill details, saved session elements, financial information, and system identifiers are combined into what are normally termed ‘stealer logs’. To attackers, these logs provide a full picture of a user’s digital existence, put into a format which is simple to trade, market and put into operation.
Article continues below
Principal Cybersecurity Researcher at Flare.io.
The scope of this data is what makes stealer logs so effective. Rather than guessing at how a user might authenticate or act, attackers can copy it. Session cookies, specifically, enable malicious actors to pose as users who have already completed authentication, occasionally avoiding further security measures completely.
The outcome is access which seems valid, acts normally, and is hard to tell apart from routine activity.
This is not something to be disregarded.
Recent research from Flare and Socura indicates that the exposure of credentials is common, even in the case of the biggest companies in the UK. In excess of 460,000 credential leaks have been traced to company email addresses belonging to businesses on the FTSE 100, and some of those businesses have had as many as ten thousand exposures circulating without their knowledge.
Critically, a large amount of this information came from logs made by infostealer malware, not from direct attacks on company systems.
Campaigns like the Snow infostealer operation show this in reality. Spread through a pirated copy of Microsoft Office 2022, the malware took passwords, details from browsers and session cookies from many countries and in several languages.
This was then collated and offered for sale to third parties, giving criminals access which they could either use immediately, or sell on to others in large quantities.
Dangers of conflating professional and personal
The risks to an organization are increased by the way corporate identities are used outside of the workplace.
When employees register work email addresses on personal services such as social media, consumer applications, or unvetted sites, they increase the likelihood of that email being exposed in a third-party data breach for those registered services.
A breach on a personal forum or third-party service can reveal a corporate identity, and if passwords are reused, it leads to attackers gaining a simple point of entry back into corporate systems.
Device usage further complicates matters. Personal computers frequently contain consumer software, pirated applications, or downloads from dubious origins.
These are common delivery methods for infostealer malware. If a user has ever logged into a work account from such a device, those credentials and session details could already be captured, awaiting exploitation.
Although these risks affect employees at all levels, executive and C-suite accounts are particularly valuable. Top-level managers generally have broad access and organizational power.
Compromising one of these accounts enables business email scams, fraudulent payment requests, or access to confidential, proprietary information; none of these attacks require complex technical intrusion. In this scenario, trust is the most potent exploit.
Simplicity does not equate to security
Although still a vital protection, multi-factor authentication isn’t foolproof. When a user successfully logs in and completes an MFA challenge, the website assigns that user a cookie to keep them authenticated. By importing a stolen cookie, an attacker can effectively trick a website into thinking they have already authenticated and bypass MFA entirely.
A further difficulty is that many present-day security measures are created to make things simpler for users, and fail to examine what users do after they’ve logged in. After a user’s identity is confirmed, their subsequent activity is very often assumed to be legitimate.
Criminals exploit this by working steadily and carefully, fitting in with what is usual, instead of setting off clear warnings. Information on access taken from stolen credentials enables them to sign in when it would be expected, from places the user normally would, and by means of devices or browser settings which are recognized.
This obfuscation means that even systems which record everything thoroughly may not identify harmful actions until the real harm has occurred.
This shows a larger flaw in the standard ways that cybersecurity works, which relies on the premise that if somebody has legitimately accessed a network once, they will continue to do so, legitimately in the future.
Their reliability is not checked every time. In reality, identity management should be assessed dynamically, taking into account behavior, context, and risk throughout a session. Without this shift, organizations remain vulnerable to attackers who simply inherit a trusted identity and use it as intended, just with malicious intent.
Reducing the risk of account takeover relies on stringent offboarding practices, ensuring access is terminated the moment an employee leaves. Single Sign-On should be used everywhere to allow for immediate, centralized account revocation.
Employees should also be required to use strong, unique passwords for any accounts. Additionally, utilizing a threat exposure vendor helps organizations identify and remediate leaked credentials and sessions impacting their employees before attackers can use them.
Stolen login details remain an issue, not from a lack of defense, but because the kind of access we allow has changed. As work happens in more places and identities are used on more and more devices and systems, security rules must change with it.
It’s important to work out how criminals really use data they’ve stolen, instead of just how they steal it, if we are to close that gap.
We’ve featured the best identity theft protection.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
For many organizations, compromised usernames and passwords feel like yesterday’s problem. Multifactor authentication is standard, security training is routine, and credential theft is often seen as a low-priority risk. Yet this confidence is increasingly out of step with how attackers operate today. A large portion of today’s credential abuse begins…
