Organisations should beware of an oncoming crisis in the secure management of user access, according to a cybersecurity specialist at password management company LastPass.
LastPass senior principal intelligence analyst Mike Kosak, writing in IT security publication SC Magazine, said a growing “credentials crisis” is characterised by three key trends that should concern cybersecurity professionals.
Trends include: the increase in infostealer malware, more advanced social engineering part-powered by generative AI, and a shift away from passwords as a key line of defence.
“Millions of sets of credentials were compromised last year through third-party breaches, infostealer malware infections, network intrusions or other methods before making their way to forums, dark-web marketplaces or other sites,” Kosak wrote.
“Stolen credentials were a driving factor, leading to disrupted lives, stolen data, business shutdowns, and billions of dollars in financial losses.”
Kosak cited the 2023 Verizon Data Breach Investigations Report as support. That annual survey estimated that of the 83% of all breaches involving external parties, 49% made use of stolen user credentials.
“Regardless of their source, the massive number of stolen legitimate credentials available underscores the pervasive nature of the threat,” he added.
Infostealers are widely advertised and discussed in forums, with incidents multiplying as more variants appear and are offered to malicious actors. And once access is gained, further malware infection and attacks can follow, Kosak suggested.
Social engineering based strategies are often used to steal credentials as well, he noted.
Kosak said the MGM breach involved initial reconnaissance on social media that ultimately permitted impersonation of an employee in an approach to its helpdesk which then revealed the employee’s access credentials.
“We’ll see social engineering attacks get incorporated into AI-driven audio deepfakes that can allow for more convincing impersonation calls,” he said.
The rise in credentials theft was also driving a rethink of authentication technologies, including a move from passwords to passkeys that are not so vulnerable to current phishing type attacks, Kosak suggested.
LastPass acquired FIDO2 authenticator certification for its servers in January.
Customers can authenticate and log in using the LastPass Authenticator app or FIDO2 authenticators, including biometrics via Touch ID or Windows Hello or hardware keys such as YubiKey or Fietian Key, according to that announcement.
However, Kosak noted that technological shifts often create new threats and risks of their own, especially as cybercriminals evolve their own approaches to keep up. Organisations should take “extra care” when incorporating new processes, configurations and security protocols, he said.
( Image by Gerd Altmann from Pixabay )
