Security news that informs and inspires

Stop the Pwnage: 81% of Hacking Incidents Used Stolen or Weak Passwords


According to the 10th edition of the Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches leveraged stolen and/or weak passwords. Other trends include a jump in phishing, web application and ransomware attacks.

The Pervasiveness of Phishing

Stolen passwords may be the result of a proliferation of phishing - the attack method was found in over 90% of both security incidents and breaches. The top industries phished include manufacturing, information (Tech), retail and healthcare.

After a successful phishing attempt, 95% of phishing attacks that led to a breach were followed by the installation of software. After opening a malicious attachment, the payload of an exploit kit launches, checking a user’s computer and leveraging vulnerabilities that target Flash or other out-of-date software, browsers or plugins to install malware on their machine. This malware may include keyloggers or other ways to steal data, like usernames, passwords, intellectual property, credit card data, etc.

Web Application Attacks

In attacks against web applications, the use of stolen credentials, phishing, backdoors and command & control (C2) servers accounted for 60% of the incidents (note: findings were heavily influenced by data involved in the Dridex botnet takedown). In these attacks, personal data is now the most frequently compromised type of data, taking the place of credentials from last year.

The report offers up a few security recommendations to help protect web applications, including:

  • Limit the amount of personal information and site credentials stored on web apps or backend databases to the minimum required to run operations, and encrypt the rest
  • Use a second factor of authentication into web applications that would require completely different attack pattern to compromise than passwords
  • Patch your content management systems (CMS) and plugins, and make sure you get notified of out-of-cycle patches

Within the information (tech) industry, when smaller businesses’ user credentials are breached, they typically just reset passwords, since they often don’t have dedicated security staff or processes in place. More proactive security measures include implementing two-factor authentication or patch management of web applications to prevent breaches.

Rise & Commodification of Ransomware

Ransomware has jumped from 22nd place as the most common variety of malware to the fifth most common, according to Verizon. Major industries targeted by ransomware include public administration, healthcare and financial services; although many cases of ransomware targeting hospitals has been publicized widely in the media in 2016.

The commodification of the malware has become known as ransomware-as-a-service, offering the lucrative extortion abilities to anyone that can purchase it. The type of exploit kits used have shifted from Angler to Neutrino to RIG, as the data shows by the end of last year. As a type of crimeware-as-a-service, RIG can be rented for $200 a week, according to research from Recorded Future.

These exploit kits are sent via phishing, accounting for 21% of incidents. Typically, a ransomware phishing email targets employees working in departments that frequently open attachments, such as human resources (HR) or accounting.

According to Heimdal Security, the RIG exploit kit detects eight different vulnerabilities in unpatched software and downloads the Cerber ransomware onto a target system.

While the vulnerabilities used are always changing, as of January, they included:

  • Four critical vulnerabilities affecting Adobe Flash Player (including two that were patched in 2015)
  • Two affecting Microsoft Edge (Microsoft’s latest web browser running on Windows 10)
  • One affecting Internet Explorer versions 9, 10 and 11
  • One affecting Microsoft Silverlight

The ransomware may spread throughout a victim’s system and encrypt their data, locking them out until they pay attackers a ransom to decrypt their files.

Duo’s 2016 Trusted Access Report: Microsoft Edition found that nearly 62% of devices running Internet Explorer had an old version of Flash installed, meaning they may have been susceptible to known vulnerabilities packaged into the RIG exploit kit. And based on research from Cisco’s Talos Intelligence Group on RIG payloads and user agent information, the most commonly exploited victims include users browsing with Internet Explorer on Windows platforms.

Security Hygiene and Patching

Basic security hygiene can help reduce risks associated with known vulnerabilities, like those packaged into exploits sent as attachments in phishing emails. Keep your server software up to date, including operating systems, web applications, browsers and plugins.

For Flash, which is a major target, consider uninstalling it or enabling click-to-play to prevent Flash from automatically launching in web browsers. Many major browsers have this feature on by default, including Chrome, which uses HTML5 by default whenever available. Ad blockers can also help prevent exploitation via malvertising.

With some endpoint security solutions, you can also get insight into your endpoints logging into your applications, as well as set up access policies to detect, block or warn users of out-of-date Flash plugins running on their devices - before they access your environment.

When it comes to patch cycle time, most organizations completed patch processes in 12 weeks, with user devices patched most quickly, then servers, and then network devices that aren’t patched until the end of the quarter, according to the report.

Unsurprisingly, the information industry patches most quickly, and comprehensively, fixing 97.5% of vulnerability findings. Manufacturing and healthcare also rank higher on patch time and comprehensiveness. The education industry is slower - on average, they only fix about 18% of vulnerability findings over the 12-week period. The public and finance industries are also slower when it comes to patching.