Twitter Cyberattack Could Prompt Surge in Similar Hacks

… the perpetrator behaves differently. If stolen credentials aren’t useful, there is much less incentive for an attacker to send phishing attacks, spread credential stealing malware, and attempt to socially engineer access to user credentials, reducing the number of effective attacks you need to guard against.

Barracuda: Specialized Economy Around ATO

A specialized economy has emerged around email account takeover (ATO), according to a new report by Barracuda.

Over the past year, Barracuda researchers teamed up with researchers at UC Berkeley. They studied the end-to-end life cycle of a compromised account. They examined 159 compromised accounts that span 111 organizations.

Highlights from the report include:

• More than one-third of the hijacked accounts had attackers dwelling in the account for more than one week.
• One in five (20%) compromised accounts appear in at least one online password data breach. This suggests cybercriminals are exploiting credential reuse across employees’ personal and organization accounts.
• In 31% of these compromises, one set of attackers focuses on compromising accounts. The attackers then sell account access to another set of cybercriminals who focus on monetizing the hijacked accounts.
• Almost four in five (78%) attackers did not access any applications outside of email.

Neil Shah is a cybersecurity software technologist at Barracuda Networks. He said the report includes two “quite surprising” findings.

Barracuda’s Neil Shah

“We see evidence of some accounts being compromised and exploited by a single attacker, while on the other side we see accounts being compromised by one attacker and likely sold to another attacker that uses and extracts value from the accounts,” he said. “Therefore, a more mature economy seems to be growing where attackers are specializing in their roles of compromising accounts and extracting value from accounts. Secondly, with each of these enterprise accounts having access to many Office 365 cloud applications, such as SharePoint and Microsoft Teams, we still see that 78% of attackers still only access email. That was a slight shock to me, but it comes to show that email contains sufficient information/value for attackers, such as contact lists and potentially sensitive communication among employees.”

Preventing ATO is a complex task, Shah said.

“All an attacker really needs to do is gain access to one employee account within an enterprise, and they now have access to a wealth of business information, functionality and sensitive enterprise emails,” he said. “In addition, they would potentially be able to launch additional attacks against other users using the trusted identity of the compromised account.”

Real-time detectors can be useful in defending against ATOs, Shah said. In addition, non-real-time detection can still be fairly valuable, he said.

“Namely, a detector that monitors continuous activity after the initial compromise can still mitigate significant damage,” he said. “We also found that 20% of enterprise accounts within our study were compromised via an external data breach, which further illustrates the value in a non-real time detector in the need of monitoring continuous activity in an account. Another thing is that organizations should train their employees on the importance of password management and the dangers of password reuse between any accounts, especially personal and enterprise accounts.”

Once attackers penetrate the enterprise border and gain access to enterprise accounts, the damages can be …