New research shows a rise in data breaches linked to compromised service accounts, which once accessed can provide a lucrative way for hackers to move around an organization’s network.
In a representative sample of breaches responded to by cybersecurity firm ReliaQuest between January 2024 and July 2024, 85% involved compromised service accounts.
The Florida-based company noted that this represents an increase of nearly 15% compared to the same period in 2023.
Service accounts are often configured and then forgotten, and are used to manage and update servers. Because they are not tied to a human identity and are designed to perform automated tasks, often with elevated privileges, service accounts have become attractive targets for hackers looking to compromise entire networks, according to ReliaQuest.
Service accounts have played a crucial role in several high-profile attacks in recent years.
After attackers penetrate an environment through social engineering or phishing, they often attempt to gain access to service accounts to elevate their privileges and move laterally through the rest of the environment.
This happened in the SolarWinds attack in 2020, where threat actors used compromised service accounts to move laterally through targeted networks and access their resources.
Five first steps companies can take to improve IoT security
In the UK, the Information Commissioner’s Office (ICO) recently published a detailed investigation into the 2020 attack on Hackney Council, concluding that the council had not taken any measures that could have prevented the attack.
This included “failure to change an insecure password for an inactive account that was still connected to Hackney Council’s servers, which was exploited by the attackers.”
In a blog post on the ReliaQuest website this week, threat researcher Hayden Evans pointed out that service accounts are often compromised through insecure credential storage, credential dumping and a practice known as “Kerberoasting,” which involves stealing service tickets to reveal the plaintext passwords of network service accounts.
To proactively prevent attacks, Evans recommends using secure password managers to store service account credentials and verifying that service accounts have only the necessary permissions.
He also adds that it is critical for organizations to identify and document all service accounts in their environment to maintain an accurate inventory, as well as remove inactive accounts and deregister service accounts from SPNs when they are no longer needed – this reduces the risk of Kerberoasting.
Organizations are also encouraged to use group-based Managed Service Accounts (MSAs) to secure passwords and restrict account permissions.
