Abuse of valid accounts by threat actors hits a high, says IBM

Share post:

For years, cybersecurity experts have been warning organizations of the importance of identity and access management processes — including password management and protection against compromise of multifactor authentication — to secure IT assets.

A new report from IBM, released Wednesday, suggests failure to do that is increasingly costing firms badly.

Abusing valid accounts was in a three-way tie as the most common way threat actors entered organizations’ IT environments in incidents that IBM’s X-Force intelligence service investigated in 2023.

Graphic from IBM X-Force 2024 report
Source: IBM

It represented 30 per cent of initial entry vectors for incidents studied, tying with phishing. Exploiting public-facing applications was right up there, with 29 per cent of incidents.

The position of abusing valid accounts is even more notable because it was quite a jump over 2022’s report, when it was the initial access vector of 16 per cent of incidents looked at that year.

Attackers have a historical inclination to choose the path of least resistance in pursuit of their objectives, says the report.

“In this era, the focus has shifted towards logging in rather than hacking in, highlighting the relative ease of acquiring credentials compared to exploiting vulnerabilities or executing phishing campaigns,” it noted.

“As defenders increase their detection and prevention capabilities, attackers are finding that obtaining valid credentials is an easier route to achieving their goals, considering the alarming volume of compromised yet valid credentials available—and easily accessible—on the dark web.”

Researchers found that cloud account credentials alone make up 90 per cent of cloud assets for sale on the dark web. That, the report says, makes it easy for threat actors to take over legitimate user identities to establish access into IT environments. Attacker use of valid accounts as an initial access vector appears to have a significant impact on the required response efforts as well, the report adds.

Another related significant finding: A 100 per cent increase in “Kerberoasting.” It’s a technique focused on compromising Microsoft Windows Active Directory credentials through Kerberos tickets. This indicates a technique shift in how attackers are acquiring identities to carry out their operations, the report notes.

Perhaps no coincidence, researchers saw a 266 per cent increase in the use of information stealers — which steal credentials as well as other computer information — by threat actors last year.

In nearly 85 per cent of incidents on critical infrastructure that X-Force responded to, the initial access vector could have been mitigated with best practices and security fundamentals, such as asset and patch management, credential hardening, and the principle of least privilege.

Among Canadian data pulled from the numbers gathered by IBM, half of attacks here were against the government sector. Compared to other countries, Canada had the most security incidents on government entities responded to by X-Force.

The IBM X-Force Threat Intelligence Index 2024 report is available here. Registration is required.

The post Abuse of valid accounts by threat actors hits a high, says IBM first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways