Analysis of Cyber Security Threat Trends in the Last Six Months of 2023

Hey there folks! Today, I want to share an eye-opening incident that took place a bit back, in 2024. As most of you know, we’ve been having to grapple far too often with these increasingly crafty cybercriminals.

In this case, some folks over on the East Coast had the misfortune of falling victim to an attacker who got their hands on some leaked credentials. You’ve heard it a million times, and here it is again, this stuff is becoming way too commonplace. In fact, leaked credentials are almost as sought after as avocado toast in some circles. (I hear they go for quite a premium over on the dark web.)

Now, this company knew their stuff. They had measures in place like multi-factor authentication (MFA) to try and bolster their security, but it just wasn’t enough. Even though this company had used a dedicated cybersecurity provider, it doesn’t mean they could sit back, relaxed, thinking they were entirely safe.

The attacker leveraged the company’s leaked internal credentials to gain unauthorized access to their systems. He then went about his malicious business which included a range of unsavory activities like data exfiltration and malware deployment. Unsettling? Yes indeed!

So here’s how it happened. There was this previously unused service account (probably sitting unnoticed like the extra parsley in your fridge), and guess what? The attacker decided that just like you with the parsley and your scrambled eggs, they could make excellent use of it.

They didn’t barge in, no siree! They snuck in using this unused service account, somehow establishing multi-factor authentication (MFA) to get access to the company’s virtual private network (VPN).

The dark web and its shady marketplaces that sell sensitive data, like a garage sale for cyber criminals, had its hand in this too. This unsuspecting service account appeared to be the attacker’s golden ticket, enabling a host of sinister activities. They used it to scan the company’s network, understand its structure, identify vulnerabilities, and execute successful login attempts. San Francisco sourdough wouldn’t even have time to rise before they carried out their plans!

In the thick of all this, the attacker seemed to get a tad more ambitious. They dabbled in something called share enumeration – sounds technical, but basically it’s like peeping through your neighbor’s windows to figure out their daily routine. As a result, needless to say, the attacker got a whole lot of useful insights about their target.

A few minutes later, there was more trouble brewing. The company’s network witnessed an unexpected encounter with a well-known network scanning tool called Nmap. This attacker was definitely not stopping for a coffee break!

The aftermath was pretty daunting. The compromised account led to a flurry of abnormal activity including nearly 900 attempts to establish SMB sessions and over 300 file deletes. Yes, the cleanup was big.

Fortunately, the company had robust monitoring tools in place that picked up on this suspicious activity swiftly and their security team was alerted. If not for the prompt action taken by the security guys, things could’ve gone from bad to worse.

Now, you might be thinking, what’s the takeaway from all this? Well, the pool of cyber attackers isn’t going anywhere, neither is their appetite for stolen credentials. While measures like MFA are important, it’s crucial to have a more comprehensive defense, ready to adapt and respond to threats as they evolve.

Don’t forget the basics either. Regular password changes, practicing good network hygiene, and yes, a keen eye on those service accounts that might seem dormant. Remember, any element within the network can be exploited by a savvy attacker.

Take care until next time folks, and remember – stay cyber secure!

by Morgan Phisher | HEAL Security