Identity-based attacks increasing, warns CrowdStrike

Share post:

Successful identity-based attacks continue to plague IT departments, according to CrowdStrike’s sixth annual Threat Hunting report.

Based on an analysis of what they call interactive intrusions — where a threat actor was operating with hands-on-keyboard in a victim’s IT environment for the 12-month period ending June 30 — researchers found:

— there was a 62 per cent increase in attacks involving the abuse of valid accounts compared to the same period a year ago — that is, the attackers had valid credentials.

Only 14 per cent of intrusions where valid accounts were used also involved a brute-force attack. Of the remaining 86 per cent of intrusions involving a valid account, over half originated from a system external to the organization. “This suggests these accounts were likely obtained through credential harvesting, password reuse, phishing, an insider threat, or session hijacking, or they were purchased from an initial access broker,” says the report;

— 34 per cent of intrusions specifically involved the use of domain or default accounts;

— a 160 per cent increase in attempts to gather secret keys and other credential materials through cloud instance metadata APIs;

— a 200 per cent increase in pass the hash attacks;

— and a 583 per cent increase in what are called Kerberoasting attacks, a technique for stealing or forging Kerberos tickets. Windows devices use the Kerberos authentication protocol, which grants tickets to provide users access based on service principal names (SPNs). Kerberoasting involves the theft of tickets associated with SPNs. These tickets contain encrypted credentials that can be cracked offline using brute-force methods to uncover the plaintext credentials.

Defensive measures to fight Kerberoasting include monitoring Windows Event logs for unusual Kerberos service ticket requests, reviewing Active Directory settings for service accounts with unapproved SPNs, and making sure all service accounts have complex passwords that can’t be easily cracked.

CrowdStrike researchers also recently discovered the abuse of network provider dynamic link libraries (DLLs) as a means to harvest valid credentials. A network provider DLL enables the Windows operating system to communicate with other types of networks by providing support for different networking protocols. With this newly documented technique, the report says, adversaries operate without the need to touch the Local Security Authority Subsystem Service (LSASS) or dump the system Security Account Manager (SAM) hive, both of which are often highly monitored by security tools.

“This sub-technique provides an evasive way to access valid account details,” the report says.

Threat actors can also move swiftly to take advantage of misconfigurations, the report notes. For example, in November 2022, a CrowdStrike customer accidentally published its
cloud service provider root account’s access key credentials to GitHub. “Within seconds,” the report notes, “automated scanners and multiple threat actors attempted to use the compromised credentials. The speed with which this abuse was initiated suggests that multiple threat actors — in efforts to target cloud environments — maintain automated tooling to monitor services such as GitHub for leaked cloud credentials.”

Generally, the report says, defences against identity-based attacks include auditing user accounts for weak passwords, implementing the principle of least privilege and role-based access, implementing a zero trust model, and implementing proactive and continuous hunting across identity for anomalous user behaviour.

The full report is available here. Registration is required.

The post Identity-based attacks increasing, warns CrowdStrike first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, May 20, 2024 -Ransomware gang claims it hit a Canadian internet provider

A ransomware gang claims it hit a Canadian internet provider. Welcome to Cyber Security Today. It's Monday May 20th,...

Cyber Security Today, Week in Review for week ending Friday May 17, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, May 17th,...

Cyber Security Today, May 17, 2024 – Malware hiding in Apache Tomcat servers

Malware hiding in Apache Tomcat servers, new backdoors found, and more Welcome to Cyber Security Today. It's Friday, May...

MIT students exploit blockchain vulnerability to steal 25 million dollars

Two MIT students have been implicated in a highly sophisticated cryptocurrency heist, where they reportedly exploited a vulnerability...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways