October 7, 2024 By Jonathan Reed 3 min read

CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations.

Both reports shed light on the persistent and growing threat of credential access — the act of stealing or cracking legitimate credentials to bypass security measures and gain unauthorized access to systems. Many advanced cyberattacks depend on credential access to provide intruders with the ability to move laterally within networks, escalate privileges and maintain persistence, frequently sidestepping detection. As per these industry-leading reports, an effective risk mitigation strategy depends on correctly dealing with credential access.

CISA’s FY23 RVA: Credential access in the spotlight

CISA’s FY23 RVA report underscores how credential access continues to be a prevalent and successful method used by threat actors to compromise networks. The analysis was based on 143 RVAs conducted across critical infrastructure sectors, including the federal civilian executive branch (FCEB), state and local governments and private-sector organizations. The report mapped findings to the MITRE ATT&CK® framework, illustrating which tactics attackers favored most.

Among the identified tactics, credential dumping (T1003) and LLMNR/NBT-NS poisoning (T1557.001) were highlighted as common techniques used by attackers. Credential dumping, in particular, was successful in 14% of the assessments. This technique involves stealing password hashes or cleartext passwords from system memory and then using these credentials for lateral movement within the network. In parallel, LLMNR/NBT-NS poisoning, which exploits weaknesses in name resolution protocols to force devices to communicate with malicious actors, was successful in 13% of cases.

These techniques allow attackers to exploit systems, often without triggering alarms. Once attackers obtain legitimate credentials, they can escalate privileges and access sensitive data. Hackers can even create new accounts to ensure they can continue to infiltrate the system, even if part of their operation is detected and neutralized.

Read the IBM X-Force Threat Intelligence Index

Credential access is a top threat

IBM’s X-Force Threat Intelligence Index 2024 echoes CISA’s findings — identifying credential access as the most significant risk to organizations worldwide. According to IBM, attackers are increasingly focusing on stealing or cracking credentials as the easiest way to bypass security measures and gain access to critical systems. Whether through keylogging, phishing or sophisticated malware, attackers target the weakest link — human behavior — to compromise networks.

In both reports, credential theft is not just a tactic — it is the gateway to executing more complex and damaging cyberattacks, such as ransomware, espionage and data exfiltration. IBM X-Force’s report emphasizes how credential access allows attackers to blend in with legitimate users, making it difficult for security teams to detect malicious activities in real time. The combination of poor password hygiene, lack of multi-factor authentication (MFA) and human error remains a significant weakness in many organizations.

Volt Typhoon Campaign: A case study in credential access

CISA’s report references real-world campaigns, such as Volt Typhoon, which began in 2021 and continued through 2023. This campaign targeted Fortinet Fortiguard devices, using credential dumping to steal operating system and domain credentials.

The attackers, believed to be state-sponsored, dumped credentials using tools like Mimikatz and Impacket, leveraging weaknesses in the LSASS process to extract password hashes. With these credentials, the attackers could perform lateral movement, gaining deeper access to targeted networks and systems.

Mitigating the threat: What organizations can do

Both CISA and IBM stress the need for proactive cybersecurity measures to mitigate the risks posed by credential access. Recommendations include:

  • Implementing multi-factor authentication (MFA): Using MFA significantly reduces the risk of compromised credentials being used by attackers.
  • Securing privileged accounts: Organizations should ensure that privileged accounts have stronger security measures, such as unique passwords and limited access.
  • Regular auditing and monitoring: Continuous monitoring for unusual login activity, especially across privileged accounts, can help detect suspicious activities early.

As verified by both CISA and IBM, credential access continues to be a critical cyber threat. Organizations should take immediate action to strengthen defenses against credential attacks as they lead to a wide range of damaging consequences down the line.

More from News

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today