Oort lays out last year’s attacks, authentication methods, and other related issues in the identity and access management (IAM) sphere in a new report released today.
A look at IAM-based threats and vulnerabilities.
Identity and Access Management (IAM) platform provider Oort this morning released their 2023 State of Identity Security report, which details prevalent identity attacks that occurred in 2022, the weaknesses in multi-factor authentication, and related issues in the IAM industry.
MFA is underused by enterprises.
Researchers reference this month’s attack on Reddit, where attackers were capable of getting both a password and one-time password (OTP) from the victim, as well as attacks from cybercriminal gang 0ktapus. Oktapus targeted Twilio and are suspected of having targeted Coinbase. Such incidents have motivated a push from the security community toward phishing-resistant MFA, as the use of the strong second factors has only accounted for 1.82% of all logins. Just over 40% of organizations observed had weak MFA or none at all, showing a lot of holes for attackers to potentially exploit.
Dormant accounts: an attacker’s goldmine.
On average, just under a quarter (24.15%) of a company’s accounts are dormant, and these often have fewer activity monitors and controls in place. Oort found, for example, that in August 2022 password-guessing attacks by threat group APT29 targeed dormant mailboxes. The cybercriminals guessed the password of an account that had not been set up correctly. Research from the last two months of 2022 also showed an average of just over 500 attack attempts against inactive accounts.
Hackers set their sights on executives and administrators.
Those with more administrative access within a company are likely to be the most targeted in IAM cyberattacks. Researchers found that domain administrators had triple the likelihood of being probed when compared to other employees. Attackers also set their sights on executives, many of whom seem to be more lax with their MFA, especially on weekends.
Oort recommends deletion of inactive user accounts to reduce risk. Also recommended is the development of an identity inventory, using strong MFA practices, engaging in continuous monitoring, and investigating every user incident to rule out any suspicious cases.