Accounting attacks had a huge impact in 2024, fueled by a vicious circle of infections of infections and data disorders. But it can still deteriorate with agents using computers, a new AI agent species that allows you inexpensive, low automation of common web slushes, including those who are often performed by attackers.
Stolen powers: Weapons Choosing Cyber -Little in 2024
Stolen powers were the action of the attacker No. 1 in 2023/24and vector of violations for 80% of web applications. Not surprisingly, considering the fact that billions of tangled powers are in circulation on the Internet, and attackers can pick up the last point for just $ 10 in criminal forums.
The criminal market of stolen powers benefits Publicity of high -profile violations in 2024 for example, attacks on Snowflake Customers who use powers found in data violations and violated credentials from Infosteeler and mass phishing campaigns, which has compromised 165 customer tenants and hundreds of millions of violated records.
But despite the fact that the year 2024 was an unprecedented year in terms of the influence of identity attacks, there are still many unfulfilled potentials to realize the attackers.
Accounting Automation – What has changed with SAAS transition?
Brown forces and accounts are not new and have been a key component of cyber -burst tools for decades. But automatically spraying the credentials is not as easy as before.
No more than one in size-all this
Instead of one centralized network with applications and data contained in the perimeter of the infrastructure, it is formed from hundreds of web applications and platforms, creating thousands of identity in the organization.
This means that identity is also now decentralized and distributed throughout the Internet, unlike storage exclusively in identity systems such as Active Directory, and are being implemented using common protocols and mechanisms.
While HTTP (s) standard, modern web applications are complex and highly tuned, with a graphically manageable interface that is different. And worse, modern web -based applications are specifically designed to prevent malicious automation by protecting the bot such as CAPTCHA.
So, instead of faced with standard protocols and be able to write a single set of tools used in any organization/environment, for example, write a DNS scanner once, use one port -piston as NMAP for the whole Internet, write one scenario (eg, FTP, SSH, Telnet, etc.) for your password.
Searching a needle in a haystack
Not only are there more conditions for attackers who can include their attack, but there are more powers that you can work with.
Are around 15 billion compromised powers Available on public internet, not including them in private channels/channels. This list is growing all the time – as 244 m never before seen passwords and 493m unique sites and vapors added, I was transferred from Infostealer magazines just last month.
It sounds scary, but it is difficult for the attacker to use this data. The vast majority of these powers are old and invalid. A recent TI data review from Push Security Researchers It turned out that less than 1% In other words, 99% of compromised powers were false positive.
But not all of them are useless – as the attacks of snowflakes, which successfully used powers by 2020, demonstrated. Thus, with the attackers that can be discovered, the treasures are clearly.
Attackers are forced to prioritize
Distributed the nature of the applications and identity, as well as the low reliability of compromised credentials, means that the attackers are forced to prioritize, despite the rich target environment of hundreds of business applications, creating thousands of divorced identity in the organization because:
- Writing and launching non -standard Python scenarios for each app (there is more than 40K SAAS on the Internet) is not realistic. Even if you have done the top 100 or 1000, it would be a significant task and require constant maintenance, with barely scratching on the surface of the overall opportunity.
- Even with the full script and use of botten to distribute the attack and avoid blocking IP, controls such as speed limitation, captcha and lock lock, can interfere with a mass accounting for one application. And a concentrated attack on one site will create significant traffic levels if you want to go through 15 billion passwords in reason, so it is very likely to raise the alarm.
Thus, the attackers tend to focus on fewer applications, and only seek direct coincidence in terms of credential attempt (for example, stolen credentials should directly belong to the account in the target application). When they follow something new, it is usually focused on a specific application/platform (such as snowflake) or looking for a narrower accounting account (such as accounts, clearly related to the edge devices, for more traditional network environments).
A missed opportunity?
As we have already established, the situation against the accounting attacks is already very bad, despite these restrictions. But everything can be much worse.
Re -use password means that one compromised account may turn into many
If the attackers were able to increase the scale of their attacks to focus on a wider number of applications (and not focus on the short-cost application), they could use the repeat password. According to A recent personality data studyOn average:
- 1 of 3 employees re -use passwords
- 9% identity have re -used password and without Foreign Affairs
- 10% IDP account (used for SSO) have a unique password
What does that mean? If stolen credentials act, there is a good chance that it can be used to access several accounts on more than one application (at least).
Imagine the scenario: A recent compromised accounting leakage from Infosteeler infections or credentials shows that a certain combination of the user and password acts in a specific application – say, Microsoft 365. Now this account is quite blocked – not only it has MFA, but there is conditional access that limits IP/place.
Usually, this will end the attack, and you would pay attention to something else. But what if you managed to spray these credentials in any other business application on which the user has an account?
Scaling accounts with computer agents
So far, the influence of II on identity attacks has been limited by the use of LLM to create phishing emails, in the development of malware AI, as well as for social media unmatched, and not quite transformational and demanding constant supervision of people and contributions.
But with the launch of the Openai operator, the new appearance “Agent uses a computer”, this may change.
The operator is trained in a specialized data set and is implemented in his own browser with a sandbox, that is, he is capable of performing common web subjects, such as a person – seeing and interacts with pages as a person.
Unlike other automated solutions, the operator does not require custom implementation and coding to be able to interact with new sites, making it a much more scalable option for attackers who seek to focus on a wide analysis of sites/applications.
Demar
The researchers in Click Security Put on the test malicious use of the operator using it on:
- Identify which companies have an existing tenant in the application list
- Trying to log in to different tenants with the provided username and password
https://www.youtube.com/watch?v=a_yjafxpjmo
A short impact
The results were quite open. The operator clearly demonstrated the possibility of focusing on the list of applications with impaired credentials and perform actions in the application. Now think about this X10, X100, X10,000 … These are not difficult tasks. But the value of the Cuas operator is not in the difficulty, but with the scale. Imagine a world in which you can arrange the operator windows through the API and make it perform these actions at the same time (the functionality that exists for Chatgpt).
But this is more than the operator – it is about the direction of technology. Openai can implement restrictions-best fences, speed restrictions on the number of simultaneous tasks and overall use, etc., but you can guarantee that this is not the only CUA is just a matter of time before similar products appear (maybe even malicious) using the same technology.
Last thoughts
This is the first days for Cua Tech, but there is a clear sign that the already serious security problem may deteriorate with this particular form of AI-II automation. While the ability to aim for a wide range of applications earlier go beyond traditional automation, it will soon become much more accessible to even low -skilled attackers (think: Next Gen Script Kiddies?).
Another way to think about it is that it effectively gives a person a low -level park that doesn’t do it completely Know what they do, but can be tasked with performing specific, detailed tasks only with periodic registration – while you work on other, more difficult tasks. Thus, the red leader of the AI BOTS team is a bit reminiscent.
The operator means that the attackers can compromise the accounts on scale, use a huge amount of vulnerable and incorrectly customized identity and convert them into systemic disorders much easier. In a sense, this can make accounts a little more than it was before transition to cloud applications – where you could spray thousands of credentials on your own purposes without requiring custom development each time.
Fortunately, no new anti-AA opportunities are more important than ever, that organizations seek to defend their identity, attacking the attack surface and finding identity vulnerabilities before the attackers can take advantage of them.
Learn more
If you want to know more about the person’s attacks and about how to stop them, check Click Security – You can Order the demonstration Or try free of their browser -based platform.
And if you want to see how they demonstrate more harmful use of the operator’s cases Check this webinar on demand.
