SpyCloud
released its 2023 SpyCloud Identity Exposure Report, an annual report
examining trends related to how exposed data puts organizations and
consumers at risk of cybercrime. In 2022, SpyCloud researchers
recaptured 721.5 million exposed credentials from the criminal
underground, and nearly 22 billion device and session cookie records
that enable session hijacking through MFA bypass.
While massive public data breaches rightfully raise alarms, the spike in
malware designed to exfiltrate data directly from devices and browsers
is a key contributor to continued user exposure. The 2023 report
identified over 22 million unique devices infected by malware last year.
Of the 721.5 million exposed credentials recovered by SpyCloud, roughly
50% came from botnets, tools commonly used to deploy highly accurate
information-stealing malware. These infostealers enable cybercriminals
to work at scale, stealing valid credentials, cookies, auto-fill data,
and other highly valuable information to use in targeted attacks or sell
on the darknet.
"The pervasive use of infostealers is a dangerous trend because these
attacks open the door for bad actors like Initial Access Brokers, who
sell malware logs containing accurate authentication data to ransomware
syndicates and other criminals," said Trevor Hilligoss, Director of
Security Research at SpyCloud. "Infostealers are easy, cheap, and
scalable, creating a thriving underground economy with an
‘anything-as-a-service' model to enable cybercrime. This broker-operator
partnership is a lucrative business with a relatively low cost of
entry."
Cybercriminals have doubled down and exploited the economic downturn,
growing hybrid workforce, ghost accounts from terminated employees, and
increased outsourcing, which elevates third-party exposure. When
employees access corporate networks using unmanaged or undermanaged
devices infected with malware, threat actors have an easy way into
critical business applications, including single sign-on platforms and
virtual private networks.
SpyCloud researchers recaptured millions of credentials harvested from
popular third-party business applications exposed to malware in 2022.
The data exfiltrated from these apps - including code repositories,
customer databases, messaging platforms, and HR systems - gives bad
actors the information needed to deploy damaging follow-on attacks like
ransomware. If these credentials are not properly remediated and remain
active, they will continue to pose an ongoing threat for organizations,
even after the device has been cleared of the malware.
"Organizations are overlooking the mounting threat of sophisticated
malware-based attacks and the protracted business impact of infected
devices. Leaders need a new approach that disrupts the flow of stolen
authentication data and mitigates the ongoing threat of these
exposures," said Hilligoss. "Collectively, we need to start thinking
about protecting digital identities using a Post-Infection Remediation
approach, rather than solely focusing on cleaning individual infected
devices. Taking action on exposed employee data before it can be used by
criminals is paramount to preventing account takeover, fraud,
ransomware and other forms of cybercrime."
With a comprehensive Post-Infection Remediation approach, security teams
can augment their traditional cyber incident response playbooks with
additional steps to fully negate opportunities for ransomware and other
cyberattacks by resetting the application credentials and invalidating
session cookies siphoned by infostealer malware.
Additional key findings from the 2023 report include:
-
Session hijacking enabled by stolen cookies is growing in prevalence.
-
SpyCloud researchers recaptured nearly 22 billion device and session
cookies in 2022. These records give criminals access to sensitive
information by allowing them to bypass MFA and hijack an active session,
essentially turning bad actors into employee clones.
-
Users' personally identifiable information (PII) is just as tempting as ever.
-
SpyCloud researchers uncovered 8.6 billion PII assets in 2022, including
1.4 billion full names, 332 million national IDs/full social security
numbers, and 67 million credit card numbers.
-
Password hygiene remains poor despite increased cybersecurity training focus.
-
SpyCloud found that 72% of users exposed in 2022 breaches were still reusing previously compromised passwords.
-
Passwords tied to pop culture trends also remain popular, with SpyCloud
recovering over 327,000 passwords related to artists Taylor Swift and
Bad Bunny, over 261,000 related to streaming services such as Netflix
and Hulu and over 167,000 related to Queen Elizabeth's death and the
British royal family.
-
The government sector is at a higher risk from malware-infected devices than enterprises.
-
SpyCloud uncovered 695 breaches containing .gov emails in 2022, a nearly 14% increase from 2021.
-
Password reuse rates among government employees remain high - 61% for
users with more than one password exposed in the last year. The three
most common exposed plaintext passwords associated with government
emails are 123456, 12345678, and password.
-
Nearly 74% of exposed government credentials across the globe in 2022
were exfiltrated by malware (compared to 48.5% across the board).
To download the full report and discover how SpyCloud helps
organizations disrupt cybercrime and defend against malware, ransomware
and online fraud, visit: https://spycloud.com/resource/2023-annual-identity-exposure-report/.