Orgs are having a major identity crisis while crims reap the rewards
Hacking your way in is so 2022 – logging in is much easier
Identity-related threats pose an increasing risk to those protecting networks because attackers – ranging from financially motivated crime gangs and nation-state backed crews – increasingly prefer to log in using stolen credentials instead of exploiting vulnerabilities or social engineering.
In two separate reports published on Wednesday, IBM X-Force and security biz CrowdStrike found a huge surge in cyber attacks using valid credentials and other techniques spoofing legitimate users.
IBM's threat hunters found a 71 percent year-over-year increase in the volume of attacks using valid credentials in 2023. "And that's huge," Michelle Alvarez, a manager for IBM X-Force's strategic threat analysis team, told The Register.
Specifically, compromised valid accounts represented 30 percent of all incidents that X-Force responded to in 2023 – pushing that attack vector to the top of the list of cyber criminals' most common initial access points for the first time ever. X-Force also found that cloud account credentials make up 90 percent of for-sale cloud assets on the dark web.
Meanwhile phishing, also at 30 percent, tied with valid account abuse as the top initial access vector in 2023. However, the overall volume of phishing attacks was down by 44 percent compared to 2022 – which IBM attributes, in part, to the use of valid credentials to gain initial access.
"It was clear to us that last year, attackers were logging in versus hacking in," Alvarez said.
The X-Force 2024 Threat Intelligence Index is based on monitoring or more than 150 billion security events per day in more than 130 countries, plus data from its threat intel, incident response, red team and Red Hat Insights.
When the front door's open …
"Identity is the number one thing that organizations need to be thinking about," warned Adam Meyers, head of counter adversary operations at CrowdStrike. "Adversaries have figured out that it's the easiest and fastest way in."
CrowdStrike's 2024 Global Threat Report – gleaned from analyzing the 230 criminal groups that it tracks – found a similar uptick in identity-related threats. In addition to using stolen credentials, the security biz spotted attackers targeting API keys and secrets, session cookies and tokens, one-time passwords, and Kerberos tickets throughout last year.
"Threat actors have really focused on identity – taking a legitimate identity, logging in as a legitimate user, and then laying low, staying under the radar by living off the land and using legitimate tools," Meyers explained.
This echoes the security shop's earlier threat hunting report published in August, which found a 312 percent year-over-year increase in the use of remote monitoring and managing tools.
"These are tools that would likely be used by administrators, so less likely to be something that will catch attention – especially if it was deployed by a legitimate user," Meyers said. "Threat actors are really trying to camouflage themselves with legitimate behavior or things that look legitimate and are harder to peel away."
- Cybercriminals are stealing iOS users' face scans to break into mobile banking accounts
- Crooks hook hundreds of exec accounts after phishing in Azure C-suite pond
- Meet VexTrio, a network of 70K hijacked websites crooks use to sling malware, fraud
- Cloudflare sheds more light on Thanksgiving security breach in which tokens, source code accessed by suspected spies
Take Scattered Spider, for example, which Meyers described as a "great example" of an identity-based attacker.
That crew, thought to be based in the US and UK, is believed to be responsible for the network intrusions and subsequent ransoming of Caesars Entertainment and MGM Resorts over the summer.
The criminals have proven very adept at pulling off extortion attacks using SMS and voice phishing to harvest credentials, as well as making phone calls to help desks and convincing the tech support workers to provide password and MFA resets for their companies' admin accounts. The crew has also pulled off several SIM swapping scams – successfully convincing cellular network operators to transfer a target's phone number to a SIM card controlled by Scattered Spider.
Beware the bears
Nation-state linked attackers also conducted their share of identity-based attacks last year.
One of the Kremlin's goon squads, Cozy Bear, has been conducting credential phishing campaigns using Microsoft Teams messages to steal MFA tokens for Microsoft 365 accounts since at least late May 2023.
Using valid credentials for initial access helps attacks evade detection. According to CrowdStrike, they typically obtain these legitimate identities via accidental credential leakage, brute-force attacks, phishing/social engineering, credential stealers, access brokers, insecure self-service password-reset services and insider threats.
"Then once they have that identity, they're able to enroll or bypass multi-factor authentication, and then move laterally," Meyers observed, noting that in some cases last year – ahem, Microsoft – MFA wasn't even deployed.
"Identity-based and social-engineering attacks are the number one thing that organizations are getting popped by," Meyers added. "And this continues to be the biggest problem." ®