Hacked service accounts involved in 85% of data breaches

New research reveals an uptick in data breaches involving comprised service accounts, which can offer hackers a lucrative way to move around inside an organisation’s network once they have gained access.

In a representative sample of breaches that cyber firm ReliaQuest responded to between January 2024 and July 2024, it claims 85% involved compromised service accounts.

The Florida-based firm noted this marked a jump of almost 15% compared to the same period in 2023.

Often configured and then forgotten, service accounts are used to manage and update servers. Because they are not attached to any human identity and are designed to perform automated tasks, often with elevated privileges, service accounts have become attractive targets for hackers looking to compromise entire networks, according to ReliaQuest.

Service accounts have played a crucial role in several high-profile attacks in recent years.

After breaching an environment via social engineering or phishing, adversaries often attempt to gain access to service accounts to elevate privileges and move laterally through the rest of the environment.

This happened in the 2020 SolarWinds attack, where the threat actors used compromised service accounts to move laterally through targeted networks to access their resources.

Five first steps firms can follow to bolster IoT security

In the UK, meanwhile, the Information Commissioner’s Office (ICO) recently published a lengthy investigation into the 2020 attack on Hackney Council, concluding that the council failed to implement measures that could have prevented the attack.

These included “the failure to change an insecure password on a dormant account still connected to Hackney Council servers, which was exploited by the attackers.”

Writing in a blog post on ReliaQuest’s website this week, threat researcher Hayden Evans noted that service accounts are often compromised via insecure credential storage, credential dumping and a practice known as “Kerberoasting”, which involves stealing service tickets to uncover the plaintext passwords of network service accounts.

To proactively prevent attacks, Evans suggests using secure password managers to store service account credentials, and verifying whether service accounts have only the necessary privileges.

He also adds that it is vital that firms Identify and document all service accounts in their environment to maintain an accurate inventory and that they remove dormant accounts and deregister service accounts with SPNs if they are no longer needed — as this will reduce the chance of Kerberoasting.

Organisations are also advised to use group Managed Service Accounts (MSAs) to secure passwords and limit account privileges.