CrowdStrike on Tuesday released its 2023 Threat Hunting Report, warning that threat actors have doubled down on identity-based attacks over the past year.
The new report is based on data collected over a 12-month period — between July 1, 2022, and June 30, 2023 — and it covers several major topics, including identity threats, cybercrime group techniques and tactics, as well as Linux and macOS insights and trends.
According to CrowdStrike, 62% of interactive intrusions involved the abuse of valid accounts, and 34% of breaches involved the use of domain or default accounts. In addition, there was a 160% increase in attempts to collect secret keys and other credentials through cloud instance metadata APIs. Pass-the-hash attacks increased by 200% year-over-year.
The biggest rise related to identity threats was observed in Kerberoasting attacks, which increased 583%, with a Russian-speaking ransomware group known as Vice Spider and Vice Society being responsible for 27% of all Kerberoasting attacks.
Kerberoasting is a post-exploitation technique that involves the abuse of the Kerberos network authentication protocol. It can be leveraged for privilege escalation and lateral movement, and attacks are not easy to detect due to the fact that Kerberos is widely used and malicious activities blend with regular activity.
“Windows devices use the Kerberos authentication protocol, which grants tickets to provide users access based on service principal names (SPNs). Kerberoasting specifically involves the theft of tickets associated with SPNs. These tickets contain encrypted credentials that can be cracked offline using brute-force methods to uncover the plaintext credentials,” CrowdStrike explained.
The cybersecurity firm observed a 40% year-over-year increase in interactive intrusions, with the technology sector being the most targeted for the sixth year in a row. The financial services industry saw the biggest increase in interactive intrusions, at more than 80%.
The most aggressive state-sponsored threat actors to target the financial sector operate on behalf of North Korea, CrowdStrike said.
The latest threat report also shows a 147% increase in initial access broker ads on the dark web. There has also been an increase of more than 300% in the use of legitimate remote monitoring and management (RMM) tools.
Related: Ransomware Attacks on Industrial Organizations Doubled in Past Year: Report
Related: Mandiant 2023 M-Trends Report Provides Factual Analysis of Emerging Threat Trends
Related: 33 New Adversaries Identified by CrowdStrike in 2022
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
