Hacking: Exploiting Default of Guessable Credentials

Attackers exploited default or easily guessable credentials for about 29 percent of the breaches analyzed by the Verizon RISK team. Many vendors often ship devices, appliances and software with a default password assigned. While it is possible to change them, that is not always the case. Industrial control systems are an example of devices with default passwords that can’t be changed. Even if the password can be changed, many administrators don’t bother. With a little bit of searching, attackers can find the passwords online, and the gates are wide open.

The user is either tricked into downloading and installing malware on the system, or a malicious Website exploits a vulnerability in the software or operating system to download and install itself. Once the computer is infected, it acts as a backdoor, allowing the remote attacker access to the network or executing code. Even if the original vulnerability is patched, if the malware can still communicate with the remote server, the attackers can continue to operate. Backdoors were found in about 26 percent of the cases.

Found in about 24 percent of the cases, stealing log-in credentials remains popular with cyber-crooks. This method may have been used in tandem with malware, such as a keylogger. Once the criminal has access to the log-in information for email accounts or online banking, they have free rein to steal and loot. The number of dumped password lists after data breaches and the high incidence of password reuse by end users makes it is easier than ever to succeed with stolen credentials.

Slightly different from using malware to open a backdoor, this threat vector relies on the attacker somehow intercepting communications, using an unsecured port or other means to open up a backdoor themselves to transfer data or receive instructions. This method is the fourth most popular technique and is found in 23 percent of the cases.

Used in about 18 percent of the incidents analyzed by Verizon, attackers rely on data-capture malware, such as keyloggers, form-grabbers and other forms of spyware, to capture data directly from the user. The user is generally unaware that there is a tool monitoring everything they type on their system. Once that information has been captured, it is sent back to a remote server for future use.

Several data-stealing Trojans fall in this category, as their sole purpose is to find specific types of data, such as configuration files, documents, spreadsheets and source code, and just send it back to the remote control server. Verizon’s RISK team found that cyber-crooks used this method in about 17 percent of all the incidents last year.

System tools, such as Pstools and netcat, are popular with IT professionals because they simplify the task of managing several systems on a network. Cyber-criminals like them, too, and they were used in about 14 percent of Verizon’s caseload. Pstools is a utilities suite that allows a user on the network to send commands to other connected Windows machines. This is similar to how attackers use legitimate penetration tools, such as Metasploit, to find holes in applications and Websites.

It was a bit surprising that Verizon found only 13 percent of its cases involve SQL injection. The SANS Institute has identified SQL injection errors as one of the most common errors in software. Developers don’t properly handle inputs in the application and allow malicious perpetrators to submit SQL commands that are executed on the database.

Specific types of malware look for cookies and data stored in memory and cache that can be transferred to the remote attacker. There have been several cases of malware that are able to extract user names and passwords from memory. This occurred in 9 percent of the cases Verizon examined.

Sometimes, the malware that is downloaded to the user’s computer after clicking on a malicious link or opening up a suspicious attachment is just a dropper file. Once installed, its sole purpose is to download additional malware or update itself with new instructions. This appeared in 9 percent of Verizon’s caseload.