CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations.

Both reports shed light on the persistent and growing threat of credential access — the act of stealing or cracking legitimate credentials to bypass security measures and gain unauthorized access to systems. Many advanced cyberattacks depend on credential access to provide intruders with the ability to move laterally within networks, escalate privileges and maintain persistence, frequently sidestepping detection. As per these industry-leading reports, an effective risk mitigation strategy depends on correctly dealing with credential access.

CISA’s FY23 RVA: Credential access in the spotlight

CISA’s FY23 RVA report underscores how credential access continues to be a prevalent and successful method used by threat actors to compromise networks. The analysis was based on 143 RVAs conducted across critical infrastructure sectors, including the federal civilian executive branch (FCEB), state and local governments and private-sector organizations. The report mapped findings to the MITRE ATT&CK® framework, illustrating which tactics attackers favored most.

Among the identified tactics, credential dumping (T1003) and LLMNR/NBT-NS poisoning (T1557.001) were highlighted as common techniques used by attackers. Credential dumping, in particular, was successful in 14% of the assessments. This technique involves stealing password hashes or cleartext passwords from system memory and then using these credentials for lateral movement within the network. In parallel, LLMNR/NBT-NS poisoning, which exploits weaknesses in name resolution protocols to force devices to communicate with malicious actors, was successful in 13% of cases.

These techniques allow attackers to exploit systems, often without triggering alarms. Once attackers obtain legitimate credentials, they can escalate privileges and access sensitive data. Hackers can even create new accounts to ensure they can continue to infiltrate the system, even if part of their operation is detected and neutralized.

Credential access is a top threat

IBM’s X-Force Threat Intelligence Index 2024 echoes CISA’s findings — identifying credential access as the most significant risk to organizations worldwide. According to IBM, attackers are increasingly focusing on stealing or cracking credentials as the easiest way to bypass security measures and gain access to critical systems. Whether through keylogging, phishing or sophisticated malware, attackers target the weakest link — human behavior — to compromise networks.

In both reports, credential theft is not just a tactic — it is the gateway to executing more complex and damaging cyberattacks, such as ransomware, espionage and data exfiltration. IBM X-Force’s report emphasizes how credential access allows attackers to blend in with legitimate users, making it difficult for security teams to detect malicious activities in real time. The combination of poor password hygiene, lack of multi-factor authentication (MFA) and human error remains a significant weakness in many organizations.

Volt Typhoon Campaign: A case study in credential access

CISA’s report references real-world campaigns, such as Volt Typhoon, which began in 2021 and continued through 2023. This campaign targeted Fortinet Fortiguard devices, using credential dumping to steal operating system and domain credentials.

The attackers, believed to be state-sponsored, dumped credentials using tools like Mimikatz and Impacket, leveraging weaknesses in the LSASS process to extract password hashes. With these credentials, the attackers could perform lateral movement, gaining deeper access to targeted networks and systems.

Mitigating the threat: What organizations can do

Both CISA and IBM stress the need for proactive cybersecurity measures to mitigate the risks posed by credential access. Recommendations include:

• Implementing multi-factor authentication (MFA): Using MFA significantly reduces the risk of compromised credentials being used by attackers.
• Securing privileged accounts: Organizations should ensure that privileged accounts have stronger security measures, such as unique passwords and limited access.
• Regular auditing and monitoring: Continuous monitoring for unusual login activity, especially across privileged accounts, can help detect suspicious activities early.

As verified by both CISA and IBM, credential access continues to be a critical cyber threat. Organizations should take immediate action to strengthen defenses against credential attacks as they lead to a wide range of damaging consequences down the line.