Full Report
You can tell the story of the current state of stolen credential-based attacks in three numbers: Stolen credentials were the #1 attacker action in 2023/24, and the breach vector for 80% of web app attacks. (Source: Verizon). Cybersecurity budgets grew again in 2024, with organizations now spending almost $1,100 per user (Source: Forrester). Stolen credentials on criminal forums cost as
Analysis Summary
# Incident Report: Widespread Credential Theft Leading to Major Account Takeovers
## Executive Summary
The current threat landscape shows that stolen credentials are the primary initial attack vector for modern breaches, facilitating breaches across major organizations like Snowflake, Microsoft, and Disney. These attacks thrive due to widespread MFA gaps, the prevalence of infostealer malware used to harvest credentials, and the increasing reliance on cloud services. Proactive measures focusing on identifying and enforcing MFA ubiquitously, especially across third-party applications, are necessary to combat this increasing threat.
## Incident Details
- **Discovery Date:** Ongoing throughout 2024 (based on reporting context).
- **Incident Date:** Various incidents occurred throughout 2024 (e.g., targeting Snowflake customers).
- **Affected Organization:** Numerous major organizations are cited, including Snowflake, Change Healthcare, Disney, Microsoft, Finastra, Nidec, and others.
- **Sector:** Multi-sector, including cloud data warehousing, healthcare, entertainment, and technology.
- **Geography:** Global (as major targets are large enterprises).
## Timeline of Events
### Initial Access
- **Date/Time:** Varies per organization; attacks leveraging credentials dating back to 2020 were observed in 2024 breaches (Snowflake).
- **Vector:** Compromised credentials, often harvested via infostealer malware infections.
- **Details:** Criminal forums sell stolen credentials for as low as $10. This led to the compromise of approximately 165 Snowflake customers.
### Lateral Movement
- **Details:** Not explicitly detailed, but success relied on the lack of Multi-Factor Authentication (MFA) protection on the stolen credentials, allowing attackers to seamlessly log in and operate within the targeted environments (e.g., accessing data warehouses, internal servers, and cloud app tenants).
### Data Exfiltration/Impact
- **Details:** Massive data exposure across multiple victims. Examples include:
- **Snowflake:** Sensitive data impacting hundreds of millions of people across 9 publicly named victims.
- **Change Healthcare:** 100 million customers impacted, leading to a $22 million ransom demand.
- **Disney:** Data leakage from Confluence servers and Slack instance (including messages from 10,000 channels).
- **Microsoft:** Sensitive emails leaked from the Office 365 environment via a compromised OAuth application.
### Detection & Response
- **Detection:** Detection methods varied. In some cases, victims were publicly named, indicating external discovery or disclosure. In the Microsoft case, exploitation of a "test" OAuth application was noted.
- **Response Actions:** At least one victim (Change Healthcare) paid an undisclosed ransom fee. Response for others included necessary containment and remediation following the credential misuse.
## Attack Methodology
- **Initial Access:** Stolen credentials harvested primarily via infostealer malware affecting end-user devices.
- **Persistence:** Assumed via session maintenance via valid, stolen credentials; potentially through compromised third-party applications or tokens.
- **Privilege Escalation:** Not explicitly detailed, but implied through the use of credentials that provided access to high-value targets (e.g., data warehouse administration or corporate collaboration tools).
- **Defense Evasion:** Relied heavily on bypassing MFA controls, as many targeted accounts lacked this protection entirely.
- **Credential Access:** Infostealer malware was the primary method for credential harvesting.
- **Discovery:** Attackers identified valuable targets (e.g., MFA-less accounts on third-party apps like Snowflake).
- **Lateral Movement:** Logged in directly using validated credentials across various cloud services.
- **Collection:** Gathering sensitive customer data (Snowflake), commercially sensitive data, IT infrastructure details (Disney), and organizational emails (Microsoft).
- **Exfiltration:** Not explicitly detailed, but data was successfully extracted from affected platforms.
- **Impact:** Extortion (ransom paid to Change Healthcare) and large-scale data exposure.
## Impact Assessment
- **Financial:** At least $22 million ransom paid (Change Healthcare); ongoing costs associated with remediation and potential regulatory fines across all affected entities.
- **Data Breach:** Hundreds of millions of individuals impacted across multiple major breaches. Affected data included sensitive customer information, commercially sensitive documents, IT configuration details, and internal communications.
- **Operational:** Significant operational disruption cited, particularly in the healthcare sector (Change Healthcare breach).
- **Reputational:** Significant negative press globally for all named victims due to the scale of the data compromises.
## Indicators of Compromise
(Note: As the article focuses on the *method* rather than a single incident's artifacts, specific IOCs are not listed. The primary indicators are behavioral.)
- **Network indicators:** Successful logins from external or previously unseen IPs using valid user credentials.
- **File indicators:** Presence of infostealer malware payloads on endpoints.
- **Behavioral indicators:** Unauthenticated access to cloud services following a period of dormancy, or unexpected data export patterns.
## Response Actions
The article focuses more on preventative actions than historical response steps, but general actions implied include:
- **Containment measures:** Resetting passwords for compromised accounts and disabling access tokens/sessions immediately upon detection of misuse.
- **Eradication steps:** Removing infostealer malware from affected endpoints.
- **Recovery actions:** Restoring business functionality and notifying affected parties as required by regulations.
## Lessons Learned
- Stolen credentials remain the **#1 attacker action** and the vector for 80% of web application attacks, despite increased security spending.
- The presence of MFA is not ubiquitous; **4 out of 5 accounts protected only by a password lack MFA.**
- The proliferation of third-party and cloud applications increases the available attack surface and the value of harvested credentials residing in these silos.
- Large, well-funded organizations are still frequently falling victim, demonstrating systemic weakness in achieving pervasive MFA and credential hygiene.
## Recommendations
- **Enforce MFA Universally:** Prioritize rolling out phishing-resistant MFA across all critical assets and highly demanded third-party applications.
- **Identify MFA Gaps:** Implement tools that can audit MFA registration status across unmanaged/third-party applications using current user sessions/APIs.
- **Credential Hygiene Monitoring:** Monitor for verified stolen credentials on users' accounts, even before an active attack occurs.
- **Zero Trust Principles:** Assume network access is insufficient; enforce strong identity verification (MFA) at every access point, especially for accounts lacking MFA protection.