Cybersecurity and Credential Stuffing
Many corporations use applications to track projects. These can be on premises or in the cloud. These services tend to be very useful for the collaboration required for these projects. One such service is BaseCamp. While focused on helping with communication and collaboration, BaseCamp did experience an attack in early 2019.
In this case, the defense was successful. They defended the system against a massive credential stuffing attack. This occurred on January 30, 2019 @ 12:45p Central. The SOC was monitoring the systems and noticed a significant increase in login attempts. This continued as the attack focused on approximately 30k accounts. In an hour, there were more than 30k login attempts from a vast array of IP addresses.
Successful Defense Methods
The first step was to start to block the IPs associated with the attack. With this form of attack, depending solely on this was merely a folly. This acted only to start the process, not as a panacea. There would need to be a large number of people simply doing this activity for hours to have even an insignificant effect, given the attackers would just use new IPs. The second step was much more helpful. They enabled the CAPTCHA, which blocked further attacks. While this did work and was very useful in the defense, there were 124 users who did have their accounts breached. These were reset and the users were emailed.
Getlan, S. (2019, January 31). Basecamp successfully defends against credential stuffing attack. Retrieved from https://www.bleepingcomputer.com/news/security/basecamp-successfully-defends-against-credential-stuffing-attack/
Hashim, A. (2019, February 2). Basecamp endured a brute force attack. Retrieved from https://latesthackingnews.com/2019/02/02/basecamp-endured-a-brute-force-attack/
Newman, L.H. (2019, February 17). Hacker lexicon: What is credential stuffing? Retrieved from https://wired.com/story/what-is-credential-stuffing/
OWASP. (2019, February). Credential stuffing prevention cheat sheet. Retrieved from https:/github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md
Toulas, B. (2019, February 1). Basecamp defends an hour-long credential stuffing attack. Retrieved from https://www.technadu.com/basecamp-credential-stuffing-attack/56537/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.