Delinea | Privileged Access Management Blog

2024 Verizon DBIR: Credential Compromise Dominates

Written by Joseph Carson | Jun 11, 2024 12:00:00 PM

The 2024 Verizon Data Breach Investigations Report (DBIR) analyzes 30,458 cybersecurity incidents, including 10,626 data breaches, that occurred in 94 countries over the past year. Now in its 17th year, it’s one of the top cybersecurity reports everyone anticipates so we can learn how threats are changing, what defenses worked, and what didn’t. It’s like a cybersecurity scorecard on defenders versus attackers.


Source: Verizon 2024 Data Breach Investigations Report

In this blog, we’ll unpack five key highlights of the report and share how you can learn from them to improve your cybersecurity strategy.

1. Credential compromise is the #1 data breach entry point

One of the most striking findings from this year's DBIR is the persistence of credential compromise as the leading method for cybercriminals to gain initial access.

According to the DBIR, credential compromise is a particularly effective tactic to initiate a data breach, one category of cybersecurity incidents covered in the report. In a data breach, security measures protecting data are circumvented or compromised, resulting in unauthorized access. Data breaches can involve personally identifiable information (PII), financial records, intellectual property, or trade secrets.

Verizon found that compromised credentials are a more common data breach strategy than either phishing or exploiting vulnerabilities. According to the DBIR, 31% of breaches in past 10 years involved stolen credentials. The report also notes that different industries face varying levels of credential compromise, with sectors like healthcare and finance targeted due to the sensitive nature of their data.

Select ways-in Enumerations in non-Error, non-Misuse Breaches - Source: Verizon 2024 Data Breach Investigations Report

Compromised credentials typically lead to ransomware

Compromised credentials can be used to infiltrate networks, steal data, and carry out malicious activities. Case in point, the DBIR indicates a significant increase in ransomware attacks and extortion breaches in 2024, with cybercriminals and gangs often using compromised credentials to gain initial access and deploy ransomware within networks and achieve financial gain. This trend underscores the critical need for robust authentication and authorization measures.

Extortion Attacks on the Rise - Source: Verizon 2024 Data Breach Investigations Report

Why credential compromise remains a top threat

Unlike more complex data breaches that require specialized knowledge or tools, credential compromise can be achieved through relatively simple methods.

Techniques such as password spraying and credential stuffing, phishing, and social engineering are common ways cybercriminals exploit weak or shared passwords. 4 If would-be attackers can’t obtain credentials through their own efforts, they may purchase them from access brokers or on the Dark Web.

Once attackers compromise credentials, what do they do with them?

For the first time this year, the DBIR took their “ways in” analysis one step further to understand the types of attack vectors compromised credentials unlock. They found that the primary vector for credential-based attacks is web applications, followed by desktop-sharing software and VPNs.


Primary Vector - Source: Verizon 2024 Data Breach Investigations Report

“Credentials carries a large share of the guilt for our Basic Web Application Attacks pattern (i.e., getting unauthorized access to cloud-based email and collaboration accounts),” Verizon acknowledges. When you consider the larger number of web applications—including business applications like ERP and Human Resource systems—that are often managed outside of IT security departments, it’s no surprise that credentials such as usernames and passwords may not be protected with the appropriate level of security.

What about desktop-sharing software and VPNs? When you consider the sharp rise in remote work as well as the increase in reliance on third-party vendors in an extended supply chain, it’s no wonder these vectors are a choice target for cybercriminals using stolen credentials. As DBIR says, “anything that adds to your attack surface on the Internet can be targeted and potentially be the first foothold for an external threat actor.”

It’s essential to keep those footholds to a minimum. In this next section, you’ll learn strategies to do so.

How to mitigate the risks of credential compromise

Despite the risks, many organizations still struggle with implementing strong practices to protect credentials from being compromised. To combat the persistent threat, it’s important to adopt a multi-faceted approach, including the following identity security best practices:

Implement Multi-Factor Authentication (MFA). MFA adds an additional layer of security by requiring users to provide multiple forms of verification before gaining access to data and systems. This significantly reduces the risk of unauthorized access even if credentials are compromised because users must prove they are who they say they are.

Strengthen Password Policies. Enforcing strong password policies, such as requiring complex passwords and regular password changes, as well as preventing password sharing and reuse, can prevent theft. Enterprise password vaults and Privileged Access Management (PAM) solutions allow you to manage workplace passwords automatically so that users don’t have to bear sole responsibility for their security. These tools put passwords into the background so that users don’t even see them, while still defining and governing access.

Conduct Security Awareness Training. Regular training programs can educate all users—especially those with privileged access—about the importance of credential management help them recognize and avoid a phishing or social engineering attempt when it occurs.

Monitor and Respond to Threats. Continuous, granular monitoring of privileged user behavior can help detect credential compromise. A PAM solution can determine an expected baseline of behavior and alert your team when behavior deviates. Then, you can automatically rotate credentials or enforce MFA so that a potential attack is contained.

Adopt the Principle of Least Privilege. Implementing granular access controls according to the Principle of Least Privilege can limit the impact of compromised credentials. That way, even if an attacker is successful at obtaining credentials, they’ll only be able to use them to access privileged accounts for a limited period. Even if credentials may unlock initial access, the user may not have the right to change data, download information, or execute other commands without requesting elevated privileges.

Secure Remote Access. Instead of relying on VPNs to manage access for remote workers and third parties, look for solutions that don’t expose credentials on the endpoint. For example, a browser-based remote access solution that connects to your enterprise password vault can simply inject credentials automatically.

2. Rising vulnerability exploits require better patching

Though credential compromise is in the lead as the critical path to initiating a breach, attackers are increasingly exploiting vulnerabilities to achieve their goals. This technique almost tripled (180% increase) in the past year.

In 2023, several major vulnerabilities were exploited, affecting a wide range of systems and causing multiple security incidents. Among the most notable:

MOVEit Transfer Vulnerability (CVE-2023-34362)

  • Description: The MOVEit Transfer vulnerability was a critical SQL injection flaw that allowed unauthenticated attackers to gain unauthorized access to a database, potentially leading to data breaches.

  • Impact: This vulnerability was widely exploited, leading to significant data theft and breaches in various organizations using the MOVEit Transfer software.

Microsoft Exchange Server Vulnerabilities (ProxyNotShell)

  • Description: Two critical vulnerabilities in Microsoft Exchange Server, CVE-2023-21706 an

  • Impact: Attackers used these vulnerabilities to compromise Exchange servers, leading to data breaches and email account compromises in numerous organizations.

Apache Log4j (Log4Shell) Follow-up Exploits

  • Description: Although the Log4Shell vulnerability in Apache Log4j was disclosed in late 2021, its exploitation continued into 2023 due to the widespread use of Log4j and slow patching processes.

  • Impact: Many organizations faced significant threats as attackers exploited this vulnerability to execute arbitrary code and gain control over affected systems.

To prevent vulnerability exploitation, DBIR highlights the need for better, faster patching, based on risk-based analysis.

3. Financial motivation is driving cybercrime

Financial gain remains the predominant motive for cybercrime. This finding is not entirely surprising, given the lucrative nature of cybercrime activities. Even though the media highlights the threat from nation-state actors, espionage represented only 7% of incidents.

Understanding why financial motivation continues to dominate can help you better protect your organization against such threats.

The lure of financial rewards

High Profitability with Low Risk. Cybercrime offers high profitability with relatively low risk compared to traditional criminal activities. Cybercriminals can operate anonymously from anywhere in the world, reducing the likelihood of being caught and prosecuted. This anonymity, combined with the potential for significant financial gain, makes cybercrime an attractive option.

Expanding Opportunities in the Digital Economy. The rapid digitization of the global economy has created numerous opportunities for cybercriminals. The increasing reliance on digital platforms, online transactions, and virtual currencies has expanded the attack surface, providing cybercriminals with more targets and potential rewards.

Ease of Access to Cybercrime Tools and Services. The Dark Web and underground markets offer a plethora of tools and services that facilitate cybercrime. From ransomware-as-a-service to stolen credentials and hacking tools, cybercriminals can easily access everything they need to carry out profitable attacks. This accessibility lowers the barrier to entry, enabling even less technically skilled individuals to engage in cybercrime for financial gain.

Methods of financially motivated cybercrime

Ransomware Attacks. Ransomware continues to be a highly effective and profitable method for cybercriminals. By encrypting a victim’s data and demanding a ransom for its release, attackers can extort significant sums of money. The DBIR highlights the increasing sophistication of ransomware attacks and their devastating financial impact on organizations.

Financial Fraud and Theft. Financially motivated cybercriminals often engage in activities such as credit card fraud, identity theft, and unauthorized fund transfers. These activities can yield immediate financial rewards, making them a popular choice for cybercriminals.

Business Email Compromise (BEC). BEC scams involve cybercriminals impersonating executives or trusted partners to trick employees into transferring funds or revealing sensitive financial information. These scams can result in substantial financial losses for targeted organizations.

Cryptocurrency Theft. With the rise of cryptocurrencies, cybercriminals have found new avenues for financial gain. Attacks on cryptocurrency exchanges, wallets, and individual investors can result in the theft of large sums of digital assets, which can be difficult to trace and recover.

Financial impact on organizations

The financial motivation behind cybercrime has significant repercussions for organizations across all sectors. The DBIR highlights the various ways in which financially motivated attacks can impact businesses:

Direct Financial Losses. Organizations suffer direct financial losses from ransomware payments, fraudulent transactions, and stolen assets. These losses can be substantial, especially for small and medium-sized enterprises (SMEs) that may not have the resources to recover quickly.

Operational Disruption. Cyberattacks can disrupt business operations, leading to downtime, loss of productivity, and missed opportunities. Ransomware attacks, in particular, can cripple critical systems and services, causing long-term operational challenges.

Reputation Damage. Financially motivated cyberattacks can damage an organization’s reputation, eroding customer trust and loyalty. The public disclosure of a breach can lead to negative publicity, legal ramifications, and a loss of business.

Regulatory and Compliance Costs. In the wake of a cyberattack, organizations may face regulatory fines and increased compliance costs. Adhering to data protection regulations and implementing enhanced security measures can be costly but necessary to prevent future incidents.

Mitigating financially motivated cybercrime

To mitigate the risk of financially motivated cybercrime, organizations should adopt a comprehensive approach to cybersecurity:

Invest in Robust Security Infrastructure. Implementing advanced security technologies, such as intrusion detection systems, encryption, and multi-factor authentication, can help protect against cyber threats.

Enhance Employee Awareness and Training. Educating employees about the tactics used by cybercriminals and the importance of cybersecurity best practices can reduce the risk of successful attacks.

Conduct Regular Security Assessments. Regularly assessing and updating security protocols can help identify vulnerabilities and ensure that defenses are up to date against evolving threats.

Develop an Incident Response Plan. Having a well-defined incident response plan can help organizations respond quickly and effectively to cyberattacks, minimizing financial and operational impact.

Engage with Cybersecurity Experts. Collaborating with cybersecurity experts and participating in threat intelligence sharing can provide valuable insights and enhance an organization’s ability to defend against financially motivated cybercrime.

Financial Motives in Breaches - Source: Verizon 2024 Data Breach Investigations Report

4.To AI or not to AI? That's a BIG question

According to the DBIR, attackers aren’t significantly using GenAI. The report postulates that existing basic techniques are getting the job done, so many cybercriminals may not yet feel the need to adopt more complex, AI-driven methods.

There are instances when cybercriminals do leverage AI, particularly in more sophisticated and well-funded operations. For example, AI can be used to automate phishing attacks, develop malware that evades detection, or analyze large datasets of stolen information. As AI technology becomes more accessible and easier to use, its use in cybercrime will likely increase.

I asked ChatGPT an important question

 

5. The rise of organized cybercrime

Organized cybercrime has evolved significantly over the past few years, transforming from loosely coordinated groups of hackers into highly sophisticated and well-organized networks resembling legitimate businesses. This evolution has given rise to a complex ecosystem of specialized threat actors who collaborate to carry out cyberattacks.

Each actor or group within this ecosystem focuses on a specific aspect of cybercriminal operations, allowing for increased efficiency, effectiveness, and scalability of attacks. This collaborative approach not only lowers the barrier to entry but also accelerates the innovation and dissemination of new techniques and tools.

Rise of Organized Cybercrime - Source: Verizon 2024 Data Breach Investigations Report

Here's a breakdown of the key components of this ecosystem:

Initial Access Brokers

Initial Access Brokers (IABs) are specialized threat actors who focus on gaining initial access to a target network. They use various methods such as exploiting vulnerabilities, spear-phishing, or deploying malware to infiltrate organizations. Once they have established access, they sell it to other cybercriminals on underground forums or marketplaces. This specialization allows ransomware operators and other malicious actors to bypass the challenging and time-consuming task of breaching a network themselves.

Ransomware-as-a-Service 

Ransomware-as-a-Service (RaaS) is a business model in which ransomware developers lease their malware to affiliates. These affiliates are responsible for distributing the ransomware and infecting victims. In return, the affiliates receive a share of the ransom payments. This model lowers the barrier to entry for cybercriminals, enabling even those with limited technical skills to launch ransomware attacks. RaaS operators provide user-friendly interfaces, technical support, and regular updates to their malware, making it easier for affiliates to succeed.

Criminal Helpdesk

The criminal helpdesk is another integral part of the organized cybercrime ecosystem. This component provides technical support to both the ransomware affiliates and their victims. For affiliates, the helpdesk offers assistance with deploying ransomware, navigating technical issues, and optimizing attacks. For victims, the helpdesk often handles negotiations, provides instructions on how to pay the ransom, and may even assist in decrypting files once the ransom is paid. This service ensures smooth operations for cybercriminals and increases the likelihood of receiving payments from victims.

Hands-on Keyboard Actors

Hands-on keyboard actors are skilled hackers who take a more active role in cyberattacks, often working directly within a compromised network. After gaining access, whether through IABs or other means, these actors move laterally through the network, escalate privileges, and identify valuable data or systems to target. Their expertise allows them to execute sophisticated and tailored attacks, increasing the chances of a successful and profitable outcome. They are crucial for conducting complex operations that require real-time decision-making and adaptability.

Money Laundering

Money laundering is a critical component of the cybercrime ecosystem, as it enables criminals to convert their illicit gains into usable funds without attracting the attention of law enforcement. Specialized money laundering actors use a variety of techniques, such as mixing services, cryptocurrency tumblers, and shell companies, to obfuscate the origin of the funds. They often employ a network of mules—individuals who transfer or withdraw money on behalf of the criminals—to further complicate tracking efforts. This layer of the ecosystem ensures that cybercriminals can enjoy the fruits of their labor with minimal risk of detection.

The expanding ecosystem

The expansion of the organized cybercrime ecosystem into multiple specialized roles reflects a trend toward greater professionalization and efficiency. Each actor focuses on what they do best, creating a streamlined and highly effective operation. This division of labor mirrors legitimate business practices, where different departments or experts handle specific tasks to optimize performance.

The interdependence of these specialized actors also fosters a collaborative environment within the cybercriminal community. Forums and marketplaces facilitate the exchange of services, tools, and information, enabling even small-time criminals to launch sophisticated attacks. This collaborative approach not only lowers the barrier to entry but also accelerates the innovation and dissemination of new techniques and tools.

Conclusion

The 2024 Verizon DBIR underscores that credentials compromise remains a formidable challenge in the cybersecurity landscape. As cybercriminals refine their tactics, organizations must stay vigilant and proactive in their defense strategies. By implementing strong authentication measures, educating employees, and continuously monitoring threats, organizations can better protect themselves.