The criminal underworld infiltrated 22 million unique devices and exposed 721.5 million credentials in 2022 alone as new study raises alarm on increasingly tactical malware practices.
While public data breaches rightfully remain at the forefront of public safety consciousness, it is actually the newly-observed spike in malware infections designed to exfiltrate data directly from devices and browsers that is a key contributor to continued user exposure; according to the 2023 Identity Exposure report published by SpyCloud.
The annual report examines trends relating to how exposed data puts organisations and consumers at risk of cybercrime.
Of the aforementioned 721.5 million exposed credentials, the report documents how roughly half derived from botnets; tools commonly used to deploy highly accurate information-stealing malware.
The prevalence of botnets in this instance is significant, as they enable cybercriminals to work at scale and make away with valid credentials, cookies, auto-fill data and other valuable information to use in targeted attacks or sell on the darknet.
Examining the true extent of this threat, Trevor Hilligoss, SpyCloud’s director of security research, views the increasing appearance of botnets as “a dangerous trend” because the attacks “open the door for bad actors, like initial access brokers, who sell malware logs containing accurate authentication data to ransomware syndicates and other criminals.”
“Infostealers are easy, cheap and scalable, creating a thriving underground economy with an ‘anything-as-a-service’ model to enable cybercrime,” adds Hilligoss. “This broker-operator partnership is a lucrative business with a relatively low cost of entry.”
The report recognises how cybercriminals are pushing further than ever before to infiltrate businesses and take advantage of third-party exposure, including exploiting the economic downturn through the advent of hybrid workforces, terminated employee accounts and businesses’ increasing reliance on outsourcing.
When employees access corporate networks using unmanaged or undermanaged devices infected with malware, it opens the door to threat actors to access critical business applications, including single sign-on platforms and virtual private networks.
Organisations will face an ongoing threat from third-party business apps if they fail to keep their credentials active or remediate them properly, even after the device has cleared of malware.
Hilligoss emphasises how organisations are “overlooking the mounting threat of sophisticated malware-based attacks and the protracted business impact of infected devices.”
He recommends that business leaders adopt a new approach that disrupts the flow of stolen authentication data and mitigates the ongoing threat of exposure.
“Collectively, we need to start thinking about protecting digital identities using a post-infection remediation approach, rather than solely focusing on cleaning individual infected devices,” Hilligoss recommends.
This approach allows security teams to augment their traditional cyber incident response playbooks with additional steps to fully negate opportunities for ransomware and other cyberattacks by resetting the application credentials and invalidating session cookies siphoned by infostealer malware.
“Taking action on exposed employee data before it can be used by criminals is paramount to preventing account takeover, fraud, ransomware and other forms of cybercrime,” Hilligoss concludes.
Session hijacking enabled by stolen cookies is growing in prevalence.
SpyCloud researchers recaptured nearly 22 billion device and session cookies in 2022. These records give criminals access to sensitive information by allowing them to bypass MFA and hijack an active session, essentially turning bad actors into employee clones.
Users’ personally identifiable information (PII) is just as tempting as ever.
SpyCloud researchers uncovered 8.6 billion PII assets in 2022, including 1.4 billion full names, 332 million national IDs/full social security numbers and 67 million credit card numbers.
Password hygiene remains poor despite increased cybersecurity training focus.
Seventy-two per cent of users exposed in 2022 breaches were still reusing previously compromised passwords.
Passwords tied to pop culture trends also remain popular, with SpyCloud recovering over 327,000 passwords related to artists, over 261,000 related to streaming services and over 167,000 related to Queen Elizabeth’s death and the British royal family.
The government sector is at a higher risk from malware-infected devices than enterprises.
SpyCloud uncovered 695 breaches containing .gov emails in 2022, a nearly 14 per cent increase from 2021.
Password reuse rates among government employees remain high – 61 per cent for users with more than one password exposed in the last year. The three most common exposed plaintext passwords associated with government emails are 123456, 12345678, and password.
Malware exfiltrated 74 per cent of exposed government credentials globally in 2022, compared to 48.5 per cent across the board.