In recent weeks, the NCSC (National Cyber Security Center) has seen an huge increase in reports of suspicious entries in login data.
It is observed that hackers attempt to gain access to accounts by trying various combinations of usernames and passwords. This type of attack in which stolen login data (“credentials”) are used is called credential stuffing. Multiple entry of different passwords (stuffing) and the resulting failed login attempts often lock the account in question and can cause an interruption of a service.
Attackers obtain a list of stolen usernames and passwords. Such data can be purchased on the darknet or are freely accessible. By entering their e-mail address into the “haveibeenpwned.com” site, Internet users can check whether the relevant credentials have been leaked. This is a really useful service that currently contains 11.8 billion pieces of stolen data. However, recently stolen data is not yet listed there because it is often immediately offered for sale on the darknet.
Hackers exploit all available sources to find out where the stolen credentials might work. They rely on users using the same data for multiple applications. For example, if the same e-mail address appears in multiple social channels, is used for product reviews in online shops, or even belongs to a company, then the credentials could be the same for all these applications.
However, hackers also target Internet-connected devices that protect corporate networks. Currently, for example, 1.3 million web consoles for remotely managing devices from router manufacturer Netgear are indexed by the search engine “shodan.io” and thus could be targeted by such attacks.
Brute force attacks are somewhat different but pursue the same goal: hackers select a particular account, e.g., “admin,” and try all possible password combinations.
Infrastructure protection:
- block login pages so that they cannot be reached from the Internet;
- login pages for firewalls and network devices should be accessible only internally or through known IP addresses
- after a login error the attacker’s IP should be blocked for a certain period of time or the login attempt slowed down;
- freely accessible Internet sites with a login page should be protected by a technique called “captcha” or MFA “Multi Factor Authentication”.
- Allow the Login only on specific Time-Frame