Louise Ferrett, Threat Intelligence Analyst at Searchlight Security

One of the most common dark web clues of an imminent cyberattack is leaked company credentials that have either been published or are for sale on marketplaces, forums, and paste bins. 

Yet, in spite of credentials being the most common vector for breaching an organization (according to the Verizon Data Breach Investigations Report 2022), companies sometimes question whether leaked credentials on the dark web are a threat at all because they have already implemented multi-factor authentication (MFA). Isn’t MFA enough to render the emails and passwords leaked on the dark web redundant?

The short answer is, no.

While MFA is a vital staple of any security strategy, and will help prevent many of the most common attacks using compromised credentials, it is not a cure-all. No security technology is. While opportunist hackers may be foiled by MFA and move onto lower-hanging fruit, if a criminal is really determined to get into your network, they will find a way to bypass MFA. 

We have outlined just some examples of how criminals have done this recently to demonstrate why it is so important to be aware of, and take action on, corporate credentials that have been leaked on the dark web.

MFA Bypass Tools

Criminals looking to gain initial access into an organization often start on dark web marketplaces. Here they can not only purchase credentials for specific organizations, but also guides on how to bypass MFA, and tools that help them do so. Some of the most popular MFA bypass tools available (such as Modlishka and Evilginx) use reverse proxy attacks.

A reverse proxy is a server that sits between the user and a legitimate website, recording all traffic and interactions, meaning that any passwords a user enters are automatically logged. The reverse proxy can also prompt the user for MFA tokens and collect them in real time, rendering this additional layer of security useless.

MFA Fatigue

An even simpler bypass technique is “MFA prompt bombing”, where threat groups will use the credentials they have access to in order to push authentication notifications to an employee repeatedly, until they eventually accept out of frustration or confusion. Also known as “push notification spamming”, researchers observed this tactic being used to bypass MFA for Microsoft Office 365 users earlier this year.

While this might not appear to be the most sophisticated way to bypass MFA, it has been proven extremely effective. Groups such as LAPSUS$ and Cozy Bear have both been observed using this technique in order to bypass MFA and execute their attacks.

Stolen Cookies

A relatively new tactic that threat actors have been using to bypass MFA is to steal browser cookies for current or recent web sessions. Browser cookies save authentication so the user doesn’t have to go through the hassle of logging in again, which attackers use to bypass users’ MFA. Cookie sessions are also bought and sold on the dark web and, according to Sophos researchers, there is a broad spectrum of criminals using this technique, “ranging from entry-level criminals to advanced adversaries”. In July, Microsoft reported that an Attacker in the Middle (AiTM) attack utilizing stolen cookies had been used to target more than 10,000 organizations since September 2021.

Dormant, Inactive or Unknown Accounts

Finally, it is worth remembering that MFA can only protect accounts where it has been enabled. Large enterprises may have hundreds of users, as well as suppliers, subsidiaries, contractors, VPN accounts, historic employees, etc., making it very easy to lose track of authentication. Forgotten accounts create an opportunity for cybercriminals looking for an entry point into an organization.

For example, we recently published a report that used dark web intelligence to examine the chain of events that led up to a ransomware attack on a UK University in 2021. Twelve months before the attack, 3,100 email address and password pairs belonging to the University appeared on leak sites. This was followed by an influx of dark web traffic to University IP addresses associated with VPNs, as cybercriminals tested the leaked credentials to see if they could establish a connection. Unfortunately for the University, in this case they succeeded. (To get the full analysis of the attack, download the report for free here).

Furthemore, where MFA hasn’t been enabled, there is actually a risk that cybercriminals with access to company credentials could use MFA against the organization. In this attack technique, threat actors use the logins they have bought on the dark web to sign up to MFA, effectively locking the organization and the legitimate employee out of the account. In May, CISA and the FBI issued a joint advisory warning organizations that Russian hackers had gained access to an NGO by exploiting MFA protocols in this way.

Supplementing MFA with Dark Web Intelligence

Visibility into dark web forums and marketplaces shows us that credentials are highly sought after by criminals on the dark web, with access to some organizations being sold in auctions for as much as $40K (see below).

These compromised credentials then go on to play a role in attacks against some of the largest organizations. Earlier this month, for example, Cisco confirmed that it had been attacked by the Yanluowang ransomware group through an employee’s compromised Google account, which they used to gain access to a Cisco VPN. The Google account had MFA enabled but the attackers bypassed it through a combination of voice-phishing and MFA prompt bombing.

This demonstrates exactly why credentials on the dark web are not something that organizations can ignore.

MFA is absolutely part of the answer to cybercriminals using leaked credentials but organizations should not be complacent that it is going to stop all attacks. It is a truism in cybersecurity that as quickly as a barrier is put up, threat actors are innovating to find a way around it. Gaining visibility of cybercriminals is one major way that organizations can make sure that they are keeping ahead of them.

Organizations should use dark web intelligence to:

- Monitor for company credentials have been leaked online - to establish the threat of cybercriminals gaining access through compromised accounts;

- Inform their authentication security - updating passwords, rolling out MFA, and monitoring the accounts that have been compromised in dark web marketplaces and forums;

- Extend monitoring to credentials that belong to subsidiaries, partners, or suppliers - to ensure the organization isn’t compromised through a third party’s access;

- Investigate cybercriminal chatter about their organization in marketplaces and forums - which could indicate that cybercriminals are in the reconnaissance phase of attack and looking for an initial access point into their organization.

To find out more about how dark web intelligence can shine a light on threat groups while they are still in the planning stages of attack, download our report Using the Dark Web for Pre-Attack Intelligence.