The Public Safety Threat Alliance (PSTA) recently published a report that details how credential abuse, or the use of compromised usernames and passwords to access data, is being used by threat actors in cyber attacks to target law enforcement and government entities. The full report is available to members of the PSTA. Here are some of the highlights from this new research.
Credential Abuse Overview
Credential abuse is the number one technique threat actors use when attacking public safety agencies. Threat actors will use stolen credentials like usernames and passwords to gain unauthorized access to operating systems rather than using brute force, a trial-and-error approach that typically uses automated techniques such as scripts and applications to systematically guess the correct credentials. A recent report shows that in the last year, 45 percent of data breaches began with a credential-based attack. And in the last two years, half of phishing attacks against government personnel had the main goal of stealing credentials.
Mimikatz Tops List of Tools Used By Threat Actors
The number one tool being used in attacks involving credential abuse has been Mimikatz Software, which is public, widely available and relatively easy to use. Of the six major extortion syndicates, five have been linked with Mimikatz, including the infamous LockBit Group. This tool abuses vulnerabilities in operating systems, which allows threat actors to bypass authentication controls.
Other methods to obtain stolen usernames and passwords have been reported as well, including the use of phishing, pulling passwords from web browsers, password spraying (using a single common password against multiple accounts on the same network) and abusing default systems (preset with a username and password combination). While Mimkatz was the main tool used by extortion syndicates, state-sponsored threat actors are more likely to use these types of tools due to their simplicity in allowing them to use stolen credentials to gain access.
There are many measures public safety agencies and government entities can use as part of an effective security program. Agencies should require users to utilize multi-factor authentication while also implementing effective password policies such as length and character requirements. Agencies should also reduce the risk of mobile spyware by ensuring employees are aware of what malicious links may look like.
Get the full report for more details and recommendations on how to prevent credential abuse by joining the PSTA.
The PSTA is an information sharing and analysis organization (ISAO) established by Motorola Solutions that is recognized by the Cybersecurity and Infrastructure Security Agency (CISA). The PSTA regularly publishes research, which is shared with members, such as recent insights on remote access software. It also hosts regular webinars featuring our cybersecurity analysts and other experts. In addition, the PSTA provides threat intelligence for member public sector organizations at no cost.