If you want to get into a party you’re not invited to, you’ve got two options: Rappel down from the second-story skylight, or hope someone opens the front door for you.
Locked-out threat actors have been hanging (high-tensile rope excluded) by the entrance, according to a recent report from cyber insurer Coalition, going after login panels—entry points leading to costly compromises.
Coalition pointed to an “underappreciated” driver of ransomware attacks: exposed logins, which the company defines as an interface accessible from the open internet.
By gaining unauthorized access to a target’s device, attackers can exfiltrate data or install and execute ransomware—a threat that industry reports saw increase in 2024.
“I think, particularly for small businesses, they just think, ‘Hey, I’m a 20-person retail firm in Milwaukee. Why would someone target our firm?’ And what they don’t quite get is that threat actors are scanning the internet, the entire internet, looking for these exposures,” Daniel Woods, principal security researcher at Coalition, told us.
Change it up. In case you need 22 million reasons to listen up about the threat of exposed logins, UnitedHealth Group reportedly paid that amount in ransom dollars last year, following a cyberattack against its subsidiary Change Healthcare (and its compromised login) in February 2024.
UnitedHealth Group CEO Andrew Witty told Congress in May 2024 that criminals used compromised credentials to access a Change Healthcare Citrix portal, an application enabling remote access to desktops. The portal lacked multi-factor authentication, Witty told the Senate Finance Committee.
By the numbers. Coalition’s report, which highlighted Change Healthcare’s incident as an example of the exposed-login threat, found:
- “Stolen credentials” led the most common initial access vectors, surpassing software exploits and social engineering, factoring into 47% of all ransomware claims.
- Coalition’s AI system detected that more than 65% of businesses “had at least one internet-exposed web login panel at the time of applying for cyber insurance.”
- Coalition’s January 2024 scan of IPv4 and some IPv6 addresses found that over 5 million systems expose Microsoft Terminal Services to the internet, the cyber insurer’s report stated. (With Terminal Services, also known as Remote Desktop Services, a user can log on at a terminal, and then run applications on the host computer.)
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The choice is yours. Once at a landing page, threat actors can guess a user name and password through a variety of methods, from brute-forcing to social engineering to deploying infostealers, Woods said.
Administrative panels may allow IT admins or third parties to add firewall rules or manage security appliances via a browser. The Coalition team, in the report, recommended admin panels only be accessible through a corporate network (not the open internet), and that employee VPN logins should deploy multi-factor authentication.
Unlike a software vulnerability, which falls to the technology vendor to remove, login panels are a configuration choice that an IT pro makes, according to Woods.
“An IT admin enables the panel. They think, ‘Great. It allows our employees to easily access data that improves productivity,’” Woods said. “But what they don’t think is, attackers are actively scanning for this.”