Successful identity-based attacks continue to plague IT departments, according to CrowdStrike’s sixth annual Threat Hunting report.
Based on an analysis of what they call interactive intrusions — where a threat actor was operating with hands-on-keyboard in a victim’s IT environment for the 12-month period ending June 30 — researchers found:
— there was a 62 per cent increase in attacks involving the abuse of valid accounts compared to the same period a year ago — that is, the attackers had valid credentials.
Only 14 per cent of intrusions where valid accounts were used also involved a brute-force attack. Of the remaining 86 per cent of intrusions involving a valid account, over half originated from a system external to the organization. “This suggests these accounts were likely obtained through credential harvesting, password reuse, phishing, an insider threat, or session hijacking, or they were purchased from an initial access broker,” says the report;
— 34 per cent of intrusions specifically involved the use of domain or default accounts;
— a 160 per cent increase in attempts to gather secret keys and other credential materials through cloud instance metadata APIs;
— a 200 per cent increase in pass the hash attacks;
— and a 583 per cent increase in what are called Kerberoasting attacks, a technique for stealing or forging Kerberos tickets. Windows devices use the Kerberos authentication protocol, which grants tickets to provide users access based on service principal names (SPNs). Kerberoasting involves the theft of tickets associated with SPNs. These tickets contain encrypted credentials that can be cracked offline using brute-force methods to uncover the plaintext credentials.
Defensive measures to fight Kerberoasting include monitoring Windows Event logs for unusual Kerberos service ticket requests, reviewing Active Directory settings for service accounts with unapproved SPNs, and making sure all service accounts have complex passwords that can’t be easily cracked.
CrowdStrike researchers also recently discovered the abuse of network provider dynamic link libraries (DLLs) as a means to harvest valid credentials. A network provider DLL enables the Windows operating system to communicate with other types of networks by providing support for different networking protocols. With this newly documented technique, the report says, adversaries operate without the need to touch the Local Security Authority Subsystem Service (LSASS) or dump the system Security Account Manager (SAM) hive, both of which are often highly monitored by security tools.
“This sub-technique provides an evasive way to access valid account details,” the report says.
Threat actors can also move swiftly to take advantage of misconfigurations, the report notes. For example, in November 2022, a CrowdStrike customer accidentally published its
cloud service provider root account’s access key credentials to GitHub. “Within seconds,” the report notes, “automated scanners and multiple threat actors attempted to use the compromised credentials. The speed with which this abuse was initiated suggests that multiple threat actors — in efforts to target cloud environments — maintain automated tooling to monitor services such as GitHub for leaked cloud credentials.”
Generally, the report says, defences against identity-based attacks include auditing user accounts for weak passwords, implementing the principle of least privilege and role-based access, implementing a zero trust model, and implementing proactive and continuous hunting across identity for anomalous user behaviour.
The full report is available here. Registration is required.