2023 saw more threat actors target end-of-life products, according to the CrowdStrike 2024 Global Threat Report. In some cases, threat actors developed new exploitations to use against these solutions. The report also noted that “otherwise antiquated malware families” could be used against operating systems and legacy gateway appliances that are no longer supported.
Threat actors are also increasingly taking advantage of the cloud. In some cases, attackers might move between cloud and on-premise environments. For example, Scattered Spider, the group — known for attacking MGM — sometimes looks to get access to a target’s Microsoft 365 environment, then searches SharePoint Online to find VPN setup instructions. With that, the group can then log into the victim’s VPN and travel laterally to its on-premise servers. Another group, Evil Corp (also called Indrik Spider), was seen deleting victims’ cloud-based backups.
Overall, CrowdStrike observed a 75 percent increase in intrusions in cloud environments from 2022 to 2023, although not all of these were deliberate. Some of these cases involved threat actors who appeared either unaware that they’d compromised a cloud environment or which otherwise “did not take advantage of cloud features.”
In 2023, attackers increasingly turned to so-called “interactive intrusions” in which they conducted hands-on activities instead of simply deploying malicious tooling and scripts. Interactive intrusion campaigns increased 60 percent year over year during 2023, per the report. Such attacks were most often leveraged against the tech industry (accounting for 23 percent of the interactive intrusions observed in 2023), while 9 percent hit governments and 4 percent hit education. North America was the most targeted area, with 61 percent of interactive intrusions launched against victims in the region.
Seventy-five percent of the attacks that CrowdStrike detected in 2023 used methods other than malware to get initial access into victims’ environments, a slight uptick over what the company saw in 2022. Those non-malware methods might involve social engineering; exploiting vulnerabilities or using stolen, legitimate credentials sold by access brokers. Access brokers most commonly advertised sale of initial access to entities in the academic sector and were especially likely to offer sale of access to entities in the U.S.
And attackers got faster at going from gaining initial entry into a victim's network to then moving laterally toward a new target on the network.
Looking ahead, CrowdStrike also added its voice to the many anticipating that generative AI could be used to fuel election disinformation campaigns, during a year when much of the world population goes to the polls. And 2024 may see older forms of election-related attacks, too, like distributed denial of service (DDoS) and website defacement attacks against voting information websites.
Ransomware continues to be a threat as well. The average ransom demand CrowdStrike saw in 2023 was lower than the 2022 average, but report authors asserted that this finding likely only reflected that victims and cyber extortionists are more often keeping ransom amounts and payments a secret — skewing the available data — rather than reflecting an actual decline in extortion demands.
In last year’s report, CrowdStrike noticed more cyber extortionists stealing data and threatening to leak it unless paid, without bothering to deploy ransomware malware. That method is expected to ramp up in 2024, even as malware-based ransom extortion remains significant.
As organizations look to defend themselves in 2024, they can take various steps. Some of those include adopting phishing-resistant multifactor authentication, training teams about social engineering methods and taking steps to get better visibility into their cloud environments — including to catch and correct any misconfigurations, the report recommended.
