crowdstrikethe cybersecurity specialist, announces his Threat Hunting Report 2023the sixth edition of the company’s annual report on cyber adversarial attack trends and techniques uncovered by elite threat hunting experts and intelligence analysts at CrowdStrike.
The report revealed an important increase in identity-based intrusionsa growing experience of opponents aiming for the clouda threefold increase in opponents’ use of the RMM – legitimate remote monitoring and management – as well as new all-time lows for opponent breakout times.
He Threat Hunting Report 2023 tracked adversary activity between July 2022 and June 2023 and is the first to be published by CrowdStrike’s Counter Ops expert team, announced at Black Hat USA 2023.
Among the main findings of the report, the following points emerge.
- A 583% increase in Kerberoasting identity attacks highlighting a significant escalation in identity-based intrusions: CrowdStrike has discovered an alarming nearly 6x year-over-year increase in Kerberoasting attacks, an adversarial technique that allows cybercriminals to obtain valid credentials for Active Directory service accounts, often granting actors greater privileges and allowing them to remain undetected in victim environments for longer periods of time. A general level62% of all interactive intrusions involved abuse of valid accountswhile a 160% increase in password attempts and other credentials through API of the metadata of instances in the cloud.
- A 312% year-over-year increase in the number of adversaries leveraging legitimate RMM tools: Further confirming CISA reports, adversaries are increasingly using legitimate IT remote management applications, known to evade detection and hide in the corporate environment, to gain access to sensitive data, distribute data hijacking or install custom tracking tactics.
- The opponents’ breakout time reached the lowest ever recorded of 79 minutes: The average time it takes for an adversary to move laterally from a first point of compromise to another host in the victim’s environment increased from 84 minutes in 2022 to a record 79 minutes in 2023. Also, the fastest escape time on record this year was just 7 minutes.
- The financial industry has experienced an 80% year-over-year increase in interactive intrusions, that is, intrusions that use practical activities on the keyboard. Interactive intrusions increased 40% overall.
- Ads from access brokers increased 147% in underground or criminal communities: Instant access to sellable accounts lowers the barrier to entry for eCrime actors looking to conduct criminal operations, while allowing known adversaries to hone their post-exploitation technique to achieve their goals more efficiently.
- The use by adversaries of the Linux privilege escalation tool to exploit cloud environments has tripled: Falcon OverWatch, CrowdStrike’s expert threat hunting service that operates 24/7/365, has seen triple use of the linPEAS Linux tool used by adversaries to gain access to the cloud environment metadata, network attributes and various credentials to exploit.
“Our monitoring of more than 215 adversaries over the past year has given us visibility into the cyber threat landscape, which has grown in complexity and depth as threat actors rely on new tactics and platforms, such as abuse of valid credentials to attack the cloud and software. vulnerabilities“, commented Adam Meyers, Head of Counter Adversary Operations at CrowdStrike.
“When it comes to stopping breaches, we can’t ignore the fact that adversaries are getting faster and employing tactics intentionally designed to evade traditional detection methods. Cybersecurity leaders must ask themselves if they have the solutions they need to stop an opponent’s lateral movement in just seven minutes.”.
You can download the full report Nowhere to Hide: 2023 CrowdStrike Threat Hunting Report on the CrowdStrike website.