CrowdStrike released the 2023 Threat Hunting Report. The company’s sixth annual report captures attack trends and attacker tactics observed by CrowdStrike’s elite threat hunters and intelligence analysts. He sees a massive spike in identity-based attack attempts , growing attacker sophistication in the cloud, a three-fold increase in the use of legitimate remote monitoring and management (RMM) tools, and a new all-time low in attack breakout time.
The new Threat Hunting Report considers attacker activity between July 2022 and June 2023 and is the first report to be released by CrowdStrike’s new Counter Adversary Operations team, which was officially unveiled at Black Hat USA 2023 this week.
The key findings of the report include:
- The Massive 583% Growth in Kerberoasting Attacks Exemplifies the Extreme Growth in Identity-Based Attacks: CrowdStrike saw an alarming increase in Kerberoasting attacks, up almost six-fold year-over-year. This is a technique that attackers use to obtain valid Active Directory account credentialswhich often give them greater privileges and allow them to remain undetected in their victims’ environments for extended periods of time. Overall, valid access data was misused in 62 percent of all interactive attack attempts. At the same time, attempts to obtain secret keys and other credentials from cloud instances via metadata APIs increased by 160 percent.
- The number of attackers exploiting legitimate RMM tools increased by 312 percent year-on-year. Further supporting the CISA reports is the fact that attackers are increasingly using legitimate and well-known remote IT management applications to not to be discovered. This allows them to access sensitive data, deploy ransomware, or install other targeted follow-up tactics.
- At 79 minutes, the breakout time hits a new all-time low: the average time it takes an attacker to laterally transition from the initial compromise to other hosts in the victim environment dropped from the previous low of 84 minutes in 2022 to the new record of 79 minutes this year. The shortest breakout time of the year was just 7 minutes.
- The volume of interactive attacks on the financial sector has increased by more than 80 percent compared to the previous year. Overall, interactive attack attempts have increased by 40 percent and include all attacks using hands-on keyboard activity.
- The number of inDark Web -served listings from access brokers increased by 147 percent: Easy access to valid accounts available for purchase lowers the barrier to entry for eCrime actors looking to conduct criminal operations and allows established adversaries to do their job to refine after exploitation to achieve their goals with greater efficiency.
- Attackers’ use of Linux privilege escalation tools to exploit cloud environments has tripled: Falcon OverWatch, CrowdStrike’s leading 24/7/365 threat hunting service, saw a triple increase in Linux tool linPEAS. Attackers use this tool to gain access toObtain cloud environment metadata , network attributes, and various credentials, which they can then exploit.
“We observed more than 215 attackers over the past year and found that the threat landscapeis becoming increasingly complex and pervasive as attackers take advantage of new tactics and platforms, such as For example, the misuse of valid credentials to exploit vulnerabilities in the cloud and software,” explains Adam Meyers, Head of Counter Adversary Operations at CrowdStrike. “When we talk about preventing security breaches, we cannot ignore the undeniable fact that attackers are becoming faster and employing tactics intentionally designed to evade traditional detection methods. Security leaders must therefore assess whether their teams have the necessary solutions to stop an attacker’s lateral movements within seven minutes.”