The 2023 Threat Hunting Report also found that attackers during the past year increasingly turned to encryption-free extortion to boost profits, pressure victims and exploit visibility gaps between enterprise and cloud security teams. This report draws on threat hunting findings from July 2022 through June 2023, focusing on how threat actors behaved once they’d gotten inside victim environments and begun hands-on-keyboard — rather than automated — methods. According to its findings, governments were the ninth most frequently targeted sector.
And attack trends across sectors are evolving.
“A year or two years ago, we would have been talking a lot more about weaponized documents. Things like macros were kind of dominating the discussion,” said Adam Meyers, CrowdStrike senior vice president of intelligence. “A document with a malicious macro embedded in it would arrive via email, you'd open it up, you’d enable the macro, and it would deploy Cobalt Strike or some sort of post-exploitation tool or implant that would then beacon back to the adversary, and that was kind of like their in.”
But as endpoint detection and response solutions have helped detect suspicious new tools on the network, attackers have updated their approaches. They’ve turned more to living-off-the-land methods, in which they abuse legitimate software — often remote monitoring and management tools — to conduct malicious activities. This is a way to blend in among the victim organization’s normal activities.
Attackers also have increasingly been using valid credentials to evade discovery. In fact, 62 percent of the interactive intrusions CrowdStrike detected involved valid credentials.
Compounding the issue is a dramatic rise in Kerberoasting. This attack method sees actors who’ve already gotten access to a system steal Windows authentication tickets. The perpetrators then attempt to crack the tickets to extract usernames and passwords.
Kerberoasting has been around for a while, but the report found it increased nearly sixfold in the past year. Meyers said that trend may be fueled by the emergence of new, easily available tools supporting such attacks. But endpoint detection and response solutions can help organizations detect Kerberoasting and identity protection systems that can block the use of compromised credentials.
Meyers also pointed to the emerging trend of encryption-free extortion. Roughly 20 percent of threat actors that used to deploy ransomware have shifted away from encrypting systems. Now they’re simply stealing data and demanding payment in exchange for not publishing it. That’s the strategy that hacking group Cl0p has been using to extort victims of its MOVEit compromise, for example.
For cyber criminals, such encryption-free extortion can be faster, simpler and more profitable. For one, ransomware as a service sees operators develop encryption malware, while affiliates deploy it and share a cut of the profits. Skipping the malware means skipping the profit-sharing, Meyers said. It also means exerting a different kind of pressure on victims.
Ransomware victims often assess whether the ransom is more painful than the cost of systems remaining down. As such, attackers may have to wait for incidents to drag on long enough to compel victims to pay. Plus, by now, victims may have more stratagems against this.
“There’s a lot of good playbooks out there for dealing with ransomware that frustrate that for the threat actor, eroding the amount of money that they can get and wasting their time,” Meyers said.
But organizations threatened with seeing sensitive data published may have a more immediate sense of the expense they’d incur, should extortionists carry through on the threats. Seeing the information leaked could spell regulatory fines as well as class-action lawsuits from customers or other individuals whose data gets exposed. Medical records invoke HIPAA violations, and organizations in states with privacy laws may run afoul of them for failing to keep sensitive data safe.
“It’s instantly evident why it's cheaper to pay the ransom,” Meyers said. “Do you want to spend $10 million on a data extortion … demand? Or do you want to spend $100 million defending yourself in a class-action lawsuit that you’re ultimately going to lose?”
Finally, threat actors appear to be becoming more cloud-savvy. Some are using tools that help identify whether the victim environment they’ve hit is in the cloud, for example, enabling them to act accordingly. As such, Meyers said more than three times the number of threat actors as last year now know how to operate in the cloud. Some are also creating accounts in the cloud that get propagated back to the enterprise.
That latter case sees malicious actors take advantage of a disconnect in communications or visibility between victim enterprise security and cloud security. An enterprise security team might discover suspicious activity, leading them to find and evict a threat from a system. But if the attacker already created an account in the cloud, and that account isn’t also purged, the threat actors can then use it to get back into the enterprise.
