Speed, Interaction, Sophistication of Threat Actors Rising in 2023

As attackers focus on political ends, big payouts, threat hunters need to focus on identity intrusions, access merchants and tactics enabling fast lateral movement.

A caution symbol on top of code. — Image: WhataWin

Adversary breakout time — the time it takes a threat actor to zipline from the initial point of entry into a network — hit an average all-time low of 79 minutes, down from 84 minutes last year, with the fastest breakout of the year coming in at a record of seven minutes.

“That is important, because all of your playbooks from the defense side should be determined by how quickly the threat actor is operating,” said Param Singh, vice president of CrowdStrike’s threat monitoring unit Falcon OverWatch. “All blue teamers, including us, need to do things like think about automation and figure out how to stop the fastest threat actor, one moving laterally within seven minutes.” The threat report also showed a 40% year-over-year increase in interactive intrusions, in which an adversary interacts with and executes against a target. The most frequently targeted vertical was technology for the sixth consecutive year, followed by financial, retail, health care and telecommunications sectors (Figure A).

Figure A

Tech, financial and retail are the top three attack targets. Image: CrowdStrike

“We look at some of the same stats year over year, and we are seeing that for some of these the needle is moving and favoring the threat actors,” said Singh.

CrowdStrike’s report, using data from July 1, 2022, to June 30, 2023, garnered by Falcon OverWatch and revealed this week at the annual Black Hat convention in Las Vegas, also found that:

Sixty-two percent of interactive intrusions involved the abuse of valid accounts, while there was a 160% increase in attempts to gather secret keys and other credentials via cloud instance metadata APIs.
There was a 40% year-over-year increase in interactive intrusions, with the most frequently targeted vertical being technology for the sixth consecutive year, followed by financial, retail, health care and telecommunications.
The volume of interactive intrusion activity against the financial services industry increased by over 80% this year versus 2022, the largest jump CrowdStrike has observed for the financial services industry.

CrowdStrike also reported that North Korea was the nation-state front of the most aggressive state-sponsored attacks.

Also on the rise are access brokers. The firm reported a 147% increase in access broker advertisements on the dark web, up 35% from 6 months ago.

CrowdStrike also found that, for the sixth consecutive year, the technology sector was the most frequently targeted, with financial second, displacing telecommunications, which is the third most targeted vertical. North Korean threat groups, aiming to generate currency were, according to the report, the most aggressive state-sponsored adversaries versus the financial sector.

The report found that, while adversaries such as North Korean aligned attackers focus on stealing cryptocurrency or nonfungible tokens (NFTs), the bigger picture is that opportunistic big game hunting (BGH) ransomware and data theft campaigns remain the primary eCrime threat to financial institutions.

The report also points to two attackers, the Iranian Kitten and Chinese Panda as purveyors of two specific practices: Kitten users exploit a certain kind of asset while Panda adversaries are increasingly aiming for breadth of attacks levied against as many targets as possible (Figure B)

Figure B

Top intruders in 2023 and their targets. Image: CrowdStrike

The technology sector’s reliance on and use of sensitive data make it a BGH target for ransomware and data theft. Other prominent eCrime threats to the technology sector include enabling services, access brokers and information theft campaigns, according to CrowdStrike’s report.

The firm also pointed to some hallmarks of 2023 tactics by threat actors:

Exploitation of vulnerable software to gain access via access brokers, meaning organizations need visibility into their external attack surface.
Rampant use of legitimate remote monitoring and management tools to blend into enterprise noise and avoid detection.
Ability to navigate multiple operating systems, such as the 3CX supply chain attack by Labyrinth Chollima, discovered by CloudStrike.

‘Kerberoasting’ is heating up in 2023

Over the past year, Falcon OverWatch observed a 583% increase in a tactic called Kerberoasting, which gives attackers higher privileges and enables lateral movement within a victim’s environment.

Kerberos is an authentication protocol that grants tickets for access to Active Directory accounts, a protocol based on a unique identifier. Kerberoasting involves the theft of tickets containing credentials, associated with the identifiers. Although encrypted, these credentials can be cracked offline.

“It’s not a new technique, but we are seeing it becoming a bigger part of the threat actor playbook,” said Singh. “Once you attack an initial victim, the stolen credentials you used to get onto that machine may not be enough to move laterally and work on your mission. Kerboroasting allows privilege escalation; because it’s an effective way to move laterally, we are seeing this huge spike.”