Threat actors abuse valid accounts using manual tactics, CrowdStrike says
Home/CyberSecurity / Threat actors abuse valid accounts using manual tactics, CrowdStrike says
Threat actors abuse valid accounts using manual tactics, CrowdStrike says

Dive Brief:

  • Threat actors are spurning the rise of automation and using manual tactics to intrude organizations’ networks and rapidly access sensitive data, according to CrowdStrike’s 2023 Threat Hunting Report released Tuesday.
  • Attacks that use hands-on-keyboard activity, which CrowdStrike refers to as interactive intrusions, jumped 40% between July 1, 2022 and June 30, 2023, the research found. Threat actors used valid account credentials to initiate more than 3 in 5 of these attacks.
  • The technology sector remained the vertical most-frequently targeted by hands-on-keyboard attacks for the sixth-consecutive year. Attacks targeting the financial services industry jumped 80%, making it the second-most targeted vertical, followed by the retail, healthcare and telecommunications sectors, according to CrowdStrike.

Dive Insight:

The research underscores the outsized role and prevalence of valid account credentials as an entry point for cyberattacks. 

Threat actors used compromised identities in 4 in 5 of all breaches studied by CrowdStrike during the one-year period ending June 30. More than one-third of interactive intrusions involved the use of domain accounts or default accounts, the research found.

Cybercriminals are using trusted accounts to break into systems, elevate privileges and evade detection, the security vendor and incident response firm said in the report. 

“The concerning ease with which adversaries can gain initial access — often simply through purchases — blurs the distinction between legitimate users and impostors,” CrowdStrike said.

Threat actors are primarily using valid account credentials to attack critical infrastructure networks and state and local agencies, too. Valid account compromises accounted for 54% of all attacks studied by the Cybersecurity and Infrastructure Security Agency’s annual risk and vulnerability assessment released last month.

These manual-based attacks are getting faster, reaching an all-time record speed of 79 minutes on average, besting the previous record of 84 minutes in 2022. CrowdStrike said it observed one breakout time of just seven minutes.

Threat actors aren’t just relying on compromised valid credentials in identity-based attacks, but rather abusing other forms of identity and authentication as they improve phishing tactics and social engineering techniques to target more potential victims.

CrowdStrike reported a 160% annual increase in threat actors’ attempts to access secret keys and other credentials via cloud instance metadata APIs.

“When we talk about stopping breaches, we cannot ignore the undeniable fact that adversaries are getting faster and they are employing tactics intentionally designed to evade traditional detection methods,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, said in a statement.



Source link