CrowdStrike: Massive growth in identity-based intrusions

The annual CrowdStrike 2023 Threat Hunting Report has uncovered a massive increase in identity-based intrusions, growing expertise by adversaries targeting the cloud, a 3x spike in adversary use of legitimate remote monitoring and management (RMM) tools, and a record low in adversary breakout time.

Covering adversary activity between July 2022 and June 2023, the 6th edition of the report is the first to be published by CrowdStrike’s newly-unveiled Counter Adversary Operations team. Key global findings from the team include:

● A 583% increase in Kerberoasting identity attacks, highlighting a massive escalation in identity-based intrusions. CrowdStrike found a nearly 6x year-over-year (YoY) spike in Kerberoasting attacks, a technique adversaries can abuse to obtain valid credentials for Microsoft Active Directory service accounts, often providing actors with higher privileges and allowing them to remain undetected in victim environments for longer periods of time.

Overall, 62% of all interactive intrusions involved the abuse of valid accounts, while there was a 160% increase in attempts to gather secret keys and other credentials via cloud instance metadata APIs.

● A 312% YoY increase in adversaries leveraging legitimate RMM tools: Giving further credence to reports from CISA, adversaries are increasingly using legitimate and wellknown remote IT management applications to avoid detection and blend into the noise of the enterprise in order to access sensitive data, deploy ransomware or install more tailored follow-on tactics.

● Adversary breakout time has hit an all-time low of 79 minutes: The average time it takes an adversary to move laterally from initial compromise to other hosts in the victim environment fell from the previous all time low of 84 minutes in 2022 to 79 minutes in 2023. Additionally, the fastest breakout time of the year was recorded at just seven minutes.

● The financial industry saw a 80% YoY increase in interactive intrusions, defined as intrusions that use hands-on keyboard activity. Interactive intrusions were up 40% overall.

● Access broker advertisements increase by 147% on criminal or underground communities: Ready access to valid accounts for sale lowers the barrier to entry for eCrime actors looking to conduct criminal operations, and allow established adversaries to hone their post-exploitation tradecraft to achieve their objectives with more efficiency.

● 3x increase in adversary use of Linux privilege-escalation tool to exploit cloud environments: CrowdStrike witnessed a threefold increase in Linux tool linPEAS, which adversaries use to gain access to cloud environment metadata, network attributes, and various credentials that they can then exploit.

“In our tracking of over 215 adversaries in the past year, we have seen a threat landscape that has grown in complexity and depth as threat actors pivot to new tactics and platforms, such as abusing valid credentials to target vulnerabilities in the cloud and in software,” said Adam Meyers, head of Counter Adversary Operations at CrowdStrike.

“When we talk about stopping breaches, we cannot ignore the undeniable fact that adversaries are getting faster and they are employing tactics intentionally designed to evade traditional detection methods. Security leaders need to ask their teams if they have the solutions required to stop lateral movement from an adversary in just seven minutes.”

Source: CrowdStrike infographic. Tech firms and telcos in APJ have been hit hard by intrusions.

In the Asia Pacific and Japan (APJ) region, CrowdStrike found that the technology vertical was the most frequently-impacted vertical in the region, mirroring the global trend. This was followed by the telecommunications vertical, accounting for at least 10% of all intrusion activity. A significant proportion of the intrusions against the telecommunications vertical were attributed to suspected China-nexus threat actors, CrowdStrike said.

China-nexus actors were observed across 14 industry verticals in APJ, compared with six in the Americas and two in EMEA. The most active adversaries targeting the Asia Pacific region were:

- Labyrinth Chollima (North Korea state-linked actor)

- Bitwise Spider (e-crime adversary)

- Ethereal Panda (Chinese state-linked actor)

- Sunrise Panda (Chinese state-linked actor)

- Frontline Jackal (e-crime adversary)

Explore

Download the 2023 CrowdStrike Threat Hunting Report on the CrowdStrike website at https://www.crowdstrike.com/resources/reports/threat-hunting-report/