Tom works for a reputable financial institution. He has a long, complex password that would be near-impossible to guess. He’s memorized it by heart, so he started using it for his social media accounts and on his personal devices too. Unbeknownst to Tom, one of these sites has had its password database compromised by hackers and put it up for sale on the dark web. Now threat actors are working hard to link these leaked credentials back to real-life individuals and their places of work. Before long, a threat actor will use Tom’s legitimate email account to send a spear-phishing link to his CEO.
This is a common account takeover scenario where malicious attackers gain unauthorized access to the organization’s systems, putting critical information and operations at risk. It usually starts with compromised credentials. We’ll run through why account takeover is so hard to stop once it starts and why strong password security is the best prevention.
Gaining access to an Active Directory account within an organization is a dream scenario for a hacker. They can launch social engineering attacks from a legitimate associated email account or instant messaging service, communicating with other employees from a trusted account that won’t be flagged by internal security. If the phishing messages are carefully crafted, it might be some time before the impersonation is discovered.
Attackers might take over an account with existing privileges or compromise a stale or inactive account and attempt to elevate their privileges from there. This can give them the keys to all manner of sensitive information shared within the organization, such as confidential business plans, financial data, intellectual property, or personally identifiable information (PII) of employees or customers. The legitimacy of the compromised account increases the chances of success in these fraudulent activities.
Because these attacks involve the use of legitimate user credentials it’s difficult to distinguish between authorized and unauthorized access. Attackers often mimic the behavior of legitimate users, making it harder to identify suspicious activities or anomalies. Users may not be aware that their accounts have been compromised, especially if the attackers maintain access without raising suspicion. This delay in detection allows attackers to continue their malicious activities, increasing the potential damage and making remediation more challenging.
Interested to know how many stale and inactive accounts are in your Active Directory environment along with other password vulnerabilities? Run this free read-only password audit.
A recent security incident in an unnamed U.S. State Government organization highlighted the dangers of account takeover. A threat actor successfully authenticated into an internal virtual private network (VPN) access point using an ex-employee’s leaked credentials. Once inside the network, the attacker accessed a virtual machine and blended in with legitimate traffic to evade detection. The compromised virtual machine provided the attacker with access to another set of credentials with administrative privileges to both the on-premises network and Azure Active Directory.
With these credentials, the threat actor explored the victim’s environment, executed lightweight directory access protocol (LDAP) queries against a domain controller, and gained access to host and user information. The attackers then posted the breached information on the dark web, intending to sell it for financial gain.
Bad password security practices can significantly increase the risk of account takeover. Using weak passwords that are easy to guess or crack makes it very simple for attackers to compromise accounts. End users choose common root phrases and then add special characters with simple structures to meet complexity requirements like “password123!“. These will be rapidly guessed by automated brute force techniques used by hackers.
A concerning number of organizations still have password policies that allow weak passwords which are wide open to account takeover. However, it’s important to remember strong passwords can become compromised too.
Password reuse is often overlooked but is one of the riskiest end-user behaviors. When people reuse the same password (even if it’s a strong one) across multiple accounts, a breach in one service can expose their credentials, making it easier for attackers to gain access to other accounts. If a cybercriminal obtains a user’s password from a compromised website, they can try using it to gain unauthorized access to their work accounts.
Stronger password security plays a crucial role in preventing account takeover attacks. Implementing MFA adds an extra layer of security by requiring users to provide additional verification factors, such as a one-time password, biometric data, or a physical token, in addition to their password. However, MFA isn’t infallible and can be bypassed. Weak and compromised passwords are still almost always the starting point for account takeover.
Enforcing complex password requirements, such as a minimum length of 15 characters, a combination of uppercase and lowercase letters, numbers, and special characters, makes it harder for attackers to guess or crack passwords via brute-force or dictionary attacks.
However, your organization also needs a way to detect passwords that may have become compromised through risky behavior such as password reuse. A tool like Specops Password Policy continuously scans your Active Directory environment against an ever-growing list of over 4 billion compromised passwords. If an end user if found to be using a breached password, they’re forced to change it and close off a potential attack takeover route.
Want to see how Specops Password Policy could fit in with your organization? Speak to us and we can arrange a free trial.