Dive Brief:
- Half of hacked email accounts are compromised for less than 24 hours, according to a report by Barracuda and researchers at University of California, Berkeley. The research examined 159 compromised email accounts in 111 organizations. One-third of accounts had attackers lurking for more than one week.
- The majority of attackers, 78%, stayed within email accounts, suggesting cloud-based accounts restrict access to "interesting data" outside of email or "attackers have yet to adapt and exploit these additional sources of information," according to the report.
- About nine in 10 compromised accounts were not used to send phishing attacks, however researchers said hackers could leverage the accounts in other ways. Researchers theorize cybercriminals "don't want to send emails from compromised accounts because that will increase their chances of being caught, and they want to keep access to these accounts." They could also be selling off the access point.
Dive Insight:
Intrusions usually occur when a hacker hides a malicious link in a phishing email. From there, cybercriminals can execute malicious script or a portable executable and use privileged or administrative level access to encrypt data on a device.
Malware is often "going to utilize network level privileges to then move laterally through the network to infect other resources or servers on the network," said Chris Sherman, senior analyst at Forrester, during a virtual webinar hosted by Sophos last week.
While collaboration platforms want to replace it, email remains an industry staple.
Email, similar to communication platforms, is a gateway to business data — especially now as companies globally are relying on digital communication. "Data moves in and out of controlled and uncontrolled areas of the network," said Sherman.
Employees are responsible for the majority of compromised incidents in enterprises, highlighting a need for change in how security is implemented. "When your device security solution indicates a high risk behavior, you know, access to certain enterprise resources should be reduced or temporarily blocked," said Sherman.
Zero trust could help organizations "isolate and implement control over the device and app behaviors" based on the risk or privilege and "deny whitelisting with behavioral controls," said Sherman.
But the methods of communication — email, chat or meeting — have security weaknesses, though hackers are more inclined to target some more than others.
Cybersecurity researchers from KELA found about 17,000 Slack credentials for sale across 12,000 Slack workspaces in cybercrime online markets. While "many access types — webshells on online stores, RDP servers or corporate email inbox access — are a highly sought-after resource driving thriving markets," no one is really buying Slack credentials, according to KELA.
Some workspaces weren't identifiable, but a portion of them were registered by using the format "orgname.slack.com," according to the report. Even though these email addresses are probably corporate-owned, KELA found Slack channels don't provide data drool-worthy enough for hackers to want.
Researchers determined that hackers might find monetizing Slack credentials difficult because the platform "grants no direct access to a target’s network, and pivoting from it to other internal applications requires a combination of tedious reconnaissance and sheer luck."