Identity-based attacks increasing, warns CrowdStrike

Share post:

Successful identity-based attacks continue to plague IT departments, according to CrowdStrike’s sixth annual Threat Hunting report.

Based on an analysis of what they call interactive intrusions — where a threat actor was operating with hands-on-keyboard in a victim’s IT environment for the 12-month period ending June 30 — researchers found:

— there was a 62 per cent increase in attacks involving the abuse of valid accounts compared to the same period a year ago — that is, the attackers had valid credentials.

Only 14 per cent of intrusions where valid accounts were used also involved a brute-force attack. Of the remaining 86 per cent of intrusions involving a valid account, over half originated from a system external to the organization. “This suggests these accounts were likely obtained through credential harvesting, password reuse, phishing, an insider threat, or session hijacking, or they were purchased from an initial access broker,” says the report;

— 34 per cent of intrusions specifically involved the use of domain or default accounts;

— a 160 per cent increase in attempts to gather secret keys and other credential materials through cloud instance metadata APIs;

— a 200 per cent increase in pass the hash attacks;

— and a 583 per cent increase in what are called Kerberoasting attacks, a technique for stealing or forging Kerberos tickets. Windows devices use the Kerberos authentication protocol, which grants tickets to provide users access based on service principal names (SPNs). Kerberoasting involves the theft of tickets associated with SPNs. These tickets contain encrypted credentials that can be cracked offline using brute-force methods to uncover the plaintext credentials.

Defensive measures to fight Kerberoasting include monitoring Windows Event logs for unusual Kerberos service ticket requests, reviewing Active Directory settings for service accounts with unapproved SPNs, and making sure all service accounts have complex passwords that can’t be easily cracked.

CrowdStrike researchers also recently discovered the abuse of network provider dynamic link libraries (DLLs) as a means to harvest valid credentials. A network provider DLL enables the Windows operating system to communicate with other types of networks by providing support for different networking protocols. With this newly documented technique, the report says, adversaries operate without the need to touch the Local Security Authority Subsystem Service (LSASS) or dump the system Security Account Manager (SAM) hive, both of which are often highly monitored by security tools.

“This sub-technique provides an evasive way to access valid account details,” the report says.

Threat actors can also move swiftly to take advantage of misconfigurations, the report notes. For example, in November 2022, a CrowdStrike customer accidentally published its
cloud service provider root account’s access key credentials to GitHub. “Within seconds,” the report notes, “automated scanners and multiple threat actors attempted to use the compromised credentials. The speed with which this abuse was initiated suggests that multiple threat actors — in efforts to target cloud environments — maintain automated tooling to monitor services such as GitHub for leaked cloud credentials.”

Generally, the report says, defences against identity-based attacks include auditing user accounts for weak passwords, implementing the principle of least privilege and role-based access, implementing a zero trust model, and implementing proactive and continuous hunting across identity for anomalous user behaviour.

The full report is available here. Registration is required.

The post Identity-based attacks increasing, warns CrowdStrike first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Liberals to add ‘fundamental right to privacy’ to proposed law, but no details yet

As committee hearing start the Innovation minister promises changes to privacy law to meet complaints. Details to fo

Cyber Security Today, Sept. 27 2023 – Hackers are targeting luxury hotels, a Red Cross scam and more

This episode reports on phishing campaigns against the hospitality sector, a new ransomware operato

Ransomware attacks on U.S. public sector at record high

Ransomware attacks on the U.S. public sector are on track to reach record levels in 2023, with both...

APT hacking group AtlasCross targets organizations

A new advanced persistent threat (APT) hacking group named AtlasCross has been discovered targeting organizations with phishing lures...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways