Countering APT credential use with passwordless authenticationFred O'Connor | July 22, 2019
Stolen credentials played a critical role in a recently disclosed cyberespionage campaign that targeted 10 mobile carriers around the world, showing that leveraging usernames and passwords remains a key tactic for threat actors and demonstrating why companies are looking into passwordless authentication.
In that attack, a cyberespionage group connected to China first exploited a vulnerability in an Internet-connected Web server to gain a foothold in the victims’ network, according to security company Cybereason, which discovered the campaign. Next, the threat actors collected usernames and passwords (a process known as credential dumping) from the compromised machine using a customized version of Mimikatz, the popular credential dumping tool.
They repeated this pattern — infiltrate servers via the vulnerability, dump credentials — and moved laterally through the network to compromise important assets like database and production servers and the Domain Controller, which gave the attackers full control of the victim’s network.
Leveraging passwords key APT10 technique
Cybereason said many of the techniques used in the campaign are associated with APT10, a group of attackers that’s affiliated with China. Using stolen credentials is a common APT10 tactic, judging by another attack that was attributed to the group.
In that campaign, APT10 used stolen usernames and passwords to access the networks of an apparel company, a law firm, and Visma, a Norwegian IT and business cloud service provider. The credentials were likely acquired in separate attacks targeting managed service providers, according to research from security companies Recorded Future and Rapid7.
Once inside the network, the attackers used Mimikatz to dump credentials and access additional machines, including Visma’s Microsoft’s Active Directory domain control. Once inside, they copied a file with Active Directory data for the company’s network, including passwords hashes for every user in the domain.
Gathering usernames and passwords was critical step in achieving the attack’s objective: obtaining intellectual property. Each credential allowed them to access a machine that could contain the information they were after.
Enterprises look to passwordless authentication
To mitigate the security issues associated with passwords, like threat actors using them to infiltrate targets, companies are considering adopting passwordless authentication for employees. This authentication method is already popular in the consumer space: think of how many people use a biometric like their fingerprint or face to unlock a smartphone or access a mobile banking app.
Microsoft plans to stop using passwords for employee authentication this year. Instead, they’ll use biometrics, said Sian John, Microsoft’s chief security adviser EMEA. He added that Microsoft expects other companies to stop using passwords for employee authentication within six years. Workers, accustomed to using passwordless authentication to with their smartphones, are ready to use it at work, according to a survey Veridium conducted. Out of 1,000 adults polled, 70 percent said that they wanted to use biometric authentication in the office.
Curious about going passwordless? Here’s what to consider
As enterprises start looking into passwordless authentication using biometrics, here’s what they should keep in mind:
- Find a passwordless authentication solution that offers a unified, frictionless authentication experience. Organizations should look for a platform that unifies passwordless authentication across devices. For example, employees should be able to use their smartphone’s biometric sensor to unlock a work desktop.
- Consider how will the biometric template be stored. Using a distributed data model minimizes the risk of a template being exposed in a data breach. In this model, an encrypted template is broken into pieces and stored on a person’s smartphone and a company’s server. Attackers would need to access both the smartphone and the server to complete the biometric template.
- Look for passwordless authentication solutions that are mobile first. Smartphones play indispensable roles in people’s lives and that’s why we always have them on us. Given how ingrained smartphones have become in people’s personal lives, they expect these devices to play an equally large part in their professional lives, particularly around offering a better authentication experience at work.