The LinkedIn compromise has been linked to a number of confirmed incidents where data exfiltration has taken place. It's possible these incidents are only the tip of the iceberg though, as many of the organizations compromised are service providers with access to customer networks.
On June 18, Citrix posted an alert warning of an incident that forced the company to reset all of their customer's passwords. A day later, Citrix updated the alert and explained the problem.
"Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users," the company wrote.
Multiple industry sources have shared additional details with Salted Hash, some confirming upwards of thirty instances where an organization has been compromised and sensitive information exfiltrated by the attackers.
However, this number is likely a low estimate, as the compromised organizations are service providers with access to customer networks.
Those who spoke to Salted Hash on the condition of anonymity are still working active cases to determine the full extent of the problems, but the fear is that the customers of the breached service providers have been compromised as well.
The organizations that have been targeted operate in the manufacturing industry, retail industry, and a number of other verticals.
The common thread in each case is the LinkedIn list, generic password policies, a lack of two-factor authentication, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer.
Citrix called the incident a "very sophisticated password attack," but that isn't the reality of the situation, there's nothing sophisticated going on.
These are straight brute force attacks with a high degree of success, largely because the leaked LinkedIn records have allowed the attacker to reuse credentials directly, or enumerate them slightly, in order to gain access.
It isn't clear if the active cases are all related, or if there is more than one attacker or group conducting the raids. What is clear, is that some of the organizations caught-up in this situation are large ones and the only reason they're in this mess is due to recycled credentials.
There's a method to the madness:
An attacker who has the LinkedIn list knows a person's name, their work history, and their password. Thus, the attacker now has a list of possible targets, a good idea of how network IDs are generated, and some base passwords to start with. There's more work to be done, as the attacker has to identify services and systems exposed to the public, but this isn't an impossible task.
"Typically there would be two types of threat actors that would consume these stolen credential sets," explained Israel Barak, CISO of Cybereason.
The first are the actors that will use the credential set to conduct broad, non-targeted attacks where they would attempt to gain access to social media and financial services using the leaked credentials. The second set of actors take their time and target individuals, or organizations they’re associated with, in order to gain access to sensitive information and systems.
Don't blame the victim, but...
Many organizations alter the default Active Directory policies slightly, but this still leaves them with passwords containing 7-12 characters, which are comprised one uppercase letter, one number, and one special character, plus a 90-day expiration window.
Yet, most of the passwords used today are based on patterns and guessable logic. The workforce is trained to create weak passwords from the start, because organizations implement password policies that result in easily guessed or cracked credentials.
"Typically organizations set a password complexity and selection policy that requires users to choose passwords comprising of multiple character sets, have some sort of minimal length, and some restrictions as it relates to expiration and reuse. Essentially this really doesn't solve anything, as it relates to the problem of an average person not wanting to remember too many passwords, which leads to password sharing across multiple services," Barak said.
"I think the most robust way to approach this particular issue is to employ multi-factor authentication on sensitive services, and I think this is especially true for services that are internet accessible, such as Outlook Web Access, VPN portal, your ERP systems, or similar sensitive services."
The point, Barak added, was to ensure that the exposure of a user's password wouldn't be enough compromise their account.
Sadly, in many of the examples shared with Salted Hash, there was a direct relation between the compromised organization and the leaked LinkedIn account data set – so the username and password on LinkedIn was the exact combination needed to access the corporate network.
But even when there wasn't a direct relation, the information available from the LinkedIn list allowed some basic guesses that resulted in successful compromises. For example, if there was a mismatch with the network ID, altering it slightly to match public email addresses often worked (e.g. jsmith vs. john.smith).
Two-factor authentication wasn't a factor in any of the breach examples shared with Salted Hash. Again, this is because the compromised organizations didn't use such features.
GoToMyPC isn't the only service provider that's been targeted recently.
Earlier this month, Team Viewer users reported system compromises, and at least some of them admitted to reusing passwords. Last week, LogMeIn proactively reset accounts where it was determined a customer was recycling their LinkedIn password. On Tuesday, Carbonite reset all of their customer's passwords after detecting login attempts using recycled credentials.
So what's the underlying problem?
Weak password policies and recycled credentials are a serious problem.
At the same time, this problem is one that isn't easily fixed. Humans have developed some bad habits when it comes to passwords and access, and corporate policies that limit complexity and require easily guessed formats, further enable these bad habits.
In hindsight, the organizations that were compromised due to the LinkedIn list made plenty of mistakes that proactive measures would have fixed. But singling them out, as if they're something unique, would be a mistake.
Organizations don't track passwords or audit them; users are allowed privileged access without restrictions; two-factor authentication is only sparingly enabled in some cases (assuming it's enabled at all); and security policies are selectively applied.
For example, the Department of Homeland Security banned personal webmail for security reasons. However, DHS Secretary, Jeh Johnson, was exempted from this ban because he liked to check his personal email from the office.
If that seems like a familiar situation to you, that's because everyone who has ever worked in IT can tell horror stories about how C-Level executives are regularly exempted from security policy.
This is why preventing recycled or easily guessed passwords is such a problem. How can you manage passwords and how they're developed or used, when just getting everyone on the same page policy-wise is challenge enough?