As unhealthy actors typically merely waltz by way of corporations’ digital entrance doorways with a key, right here’s easy methods to preserve your individual door firmly locked tight
11 Sep 2025
•
,
5 min. learn
Why break a door down and set the home alarm off when you could have a key and a code to stroll in silently? That is the rationale behind a development in cybersecurity the place adversaries are more and more trying to steal passwords, and even authentication tokens and session cookies to bypass MFA codes to allow them to entry networks by masquerading as reputable customers.
In accordance with Verizon, “use of stolen credentials” has been one of the standard strategies for gaining preliminary entry over current years. The usage of stolen credentials appeared in a 3rd (32%) of knowledge breaches final 12 months, its report notes. Nevertheless, whereas there are a number of methods menace actors can pay money for credentials, there are additionally loads of alternatives to cease them.
Why credentials are floor zero for cyberattacks
In accordance with one estimate, over 3.2 billion credentials had been stolen from world companies in 2024, a 33% annual enhance. With the entry these present to company accounts, menace actors can successfully slip into the shadows whereas plotting their subsequent transfer. This may contain some extra superior types of prison exploitation, for instance:
- Conducting community reconnaissance: in search of knowledge, belongings and consumer permissions to go after subsequent
- Escalating privileges, e.g. by way of vulnerability exploitation, in an effort to transfer laterally to succeed in these high-value knowledge shops/techniques
- Covertly establishing communications with a command-and-control (C2) server, to obtain extra malware from and exfiltrate knowledge
By working by way of these steps, an adversary may additionally perform extremely profitable ransomware and different campaigns.
How they pay money for passwords
Menace actors have developed numerous methods to compromise your workers’ company credentials or, in some instances, even their MFA codes. They embody:
- Phishing: Emails or texts spoofed to look as if despatched from an official supply (i.e., the IT division, or a tech provider). The recipient might be inspired to click on on a malicious hyperlink taking them to a pretend login web page (i.e., Microsoft).
- Vishing: A variation on the phishing theme, however this time a sufferer receives a telephone name from the menace actor. They might impersonate the IT helpdesk and request the sufferer palms over a password or enroll a brand new MFA gadget as a part of some fictitious again story. Or they might name the helpdesk claiming to be an government or worker who wants an pressing password reset to get their job achieved.
- Infostealers: Malware designed to reap credentials and session cookies from the sufferer’s laptop/gadget. It’d arrive by way of a malicious phishing hyperlink/attachment, a compromised web site, a booby-trapped cellular app, a social media rip-off and even an unofficial video games mod. Infostealers are thought to have been accountable for 75% of compromised credentials final 12 months.
- Brute-force assaults: These embody credential stuffing, the place adversaries attempt beforehand breached username/password combos in opposition to company websites and apps. Password spraying, in the meantime, leverages generally used passwords throughout completely different websites. Automated bots assist them to take action at scale, till one lastly works.
- Third-party breaches: Adversaries compromise a provider or associate which shops credentials for its shoppers, akin to an MSP or a SaaS supplier. Or they purchase up troves of already breached login “combos” to make use of in subsequent assaults.
- MFA bypass: The strategies embody SIM swapping, MFA immediate bombing that overwhelms the goal with push notifications in an effort to trigger “alert fatigue” and elicit a push approval, and Adversary-in-the-Center (AitM) assaults the place attackers insert themselves between a consumer and a reputable authentication service to intercept MFA session tokens.
The previous few years have been awash with real-world examples of password compromise resulting in main safety incidents. They embody:
- Change Healthcare: In one of the vital cyberattacks of 2024, the ransomware group ALPHV (BlackCat) crippled Change Healthcare, a serious U.S. healthcare know-how supplier. The gang leveraged a set of stolen credentials to remotely entry a server that didn’t have multifactor authentication (MFA) turned on. They then escalate their privileges and moved laterally inside the techniques and deployed ransomware, which finally led to an unprecedented disruption of the healthcare system and the theft of delicate knowledge on tens of millions of People.
- Snowflake: Financially motivated menace actor UNC5537 gained entry to the Snowflake buyer database situations of a number of shoppers. Lots of of tens of millions of downstream clients had been impacted by this large knowledge theft extortion marketing campaign. The menace actor is believed to have accessed their environments by way of credentials beforehand stolen by way of infostealer malware.
Maintain your eyes peeled
All of which makes it extra vital than ever to guard your workers’ passwords, make logins safer, and monitor the IT surroundings extra carefully for the tell-tale indicators of a breach.
A lot of this may be achieved by following a Zero Belief strategy primarily based across the tenet: by no means belief, all the time confirm. It means adopting risk-based authentication on the “perimeter” after which at numerous levels inside a segmented community. Customers and units needs to be assessed and scored primarily based on their danger profile, which will be calculated from time and placement of login, gadget kind, and session conduct. To bolster your group’s safety from unauthorized entry and to make sure compliance with laws, rock-solid multi-factor authentication (MFA) can be a non-negotiable line of protection.
It is best to complement this strategy with up to date coaching and consciousness packages for workers, together with real-world simulations utilizing the most recent social engineering strategies. Strict insurance policies and instruments stopping customers from visiting dangerous websites (the place infostealers may lurk) are additionally vital, as is safety software program on all servers, endpoints and different units, and steady monitoring instruments to identify suspicious conduct. The latter will enable you to to detect adversaries which may be inside your community courtesy of a compromised credential. Certainly, organizations additionally must have a manner of decreasing the harm a compromised account can do, for instance by following the precept of least privilege. Lastly, darkish net monitoring may help you verify if any enterprise credentials are up on the market on the cybercrime underground.
Extra broadly, take into account enlisting the assistance of an skilled third occasion by way of a managed detection and response (MDR) service. particularly if your organization is brief on sources. Along with decrease whole value of possession, a good MDR supplier brings subject-matter experience, round the clock monitoring and menace searching, and entry to analysts who perceive the nuances of credential-based intrusions and also can speed up incident response if compromised accounts are detected.
