CrowdStrike on Tuesday released its 2023 Threat Hunting Report, warning that threat actors have doubled down on identity-based attacks over the past year.
The new report is based on data collected over a 12-month period — between July 1, 2022, and June 30, 2023 — and it covers several major topics, including identity threats, cybercrime group techniques and tactics, as well as Linux and macOS insights and trends.
According to CrowdStrike, 62% of interactive intrusions involved the abuse of valid accounts, and 34% of breaches involved the use of domain or default accounts. In addition, there was a 160% increase in attempts to collect secret keys and other credentials through cloud instance metadata APIs. Pass-the-hash attacks increased by 200% year-over-year.
The biggest rise related to identity threats was observed in Kerberoasting attacks, which increased 583%, with a Russian-speaking ransomware group known as Vice Spider and Vice Society being responsible for 27% of all Kerberoasting attacks.
Kerberoasting is a post-exploitation technique that involves the abuse of the Kerberos network authentication protocol. It can be leveraged for privilege escalation and lateral movement, and attacks are not easy to detect due to the fact that Kerberos is widely used and malicious activities blend with regular activity.
“Windows devices use the Kerberos authentication protocol, which grants tickets to provide users access based on service principal names (SPNs). Kerberoasting specifically involves the theft of tickets associated with SPNs. These tickets contain encrypted credentials that can be cracked offline using brute-force methods to uncover the plaintext credentials,” CrowdStrike explained.
The cybersecurity firm observed a 40% year-over-year increase in interactive intrusions, with the technology sector being the most targeted for the sixth year in a row. The financial services industry saw the biggest increase in interactive intrusions, at more than 80%.
The most aggressive state-sponsored threat actors to target the financial sector operate on behalf of North Korea, CrowdStrike said.
The latest threat report also shows a 147% increase in initial access broker ads on the dark web. There has also been an increase of more than 300% in the use of legitimate remote monitoring and management (RMM) tools.