Identity-related risks are increasingly concerning for network defenders as cyber attackers, including financially motivated criminal groups and nation-state sponsored teams, are now more inclined to utilize stolen login credentials instead of exploiting vulnerabilities or engaging in social engineering tactics.
Recent reports from IBM X-Force and security firm CrowdStrike highlight a significant rise in cyber assaults leveraging valid credentials and other methods that mimic genuine user activities.
IBM’s analysis revealed a substantial 71% year-on-year surge in attacks leveraging valid credentials in 2023. Michelle Alvarez, a manager within IBM X-Force’s strategic threat analysis team, emphasized the magnitude of this increase. Notably, compromised legitimate accounts accounted for 30% of all incidents addressed by X-Force in 2023, making it the most prevalent initial access point for cybercriminals. Additionally, cloud account credentials constituted 90% of cloud assets available for purchase on the dark web.
Simultaneously, phishing attacks, also at 30%, were on par with abuses of valid accounts as the primary initial access vector in 2023. However, the overall volume of phishing attempts decreased by 44% compared to 2022, partly attributed to the shift towards using valid credentials for initial access.
Adam Meyers, head of counter adversary operations at CrowdStrike, emphasized the paramount importance of identity protection for organizations, noting that adversaries have identified it as the most straightforward and rapid entry point.
CrowdStrike’s 2024 Global Threat Report, based on tracking 230 criminal groups, identified a similar uptick in identity-related threats. In addition to stolen credentials, attackers targeted various authentication elements such as API keys, session cookies, and Kerberos tickets throughout the previous year.
Threat actors have honed their focus on exploiting identities, assuming legitimate user personas to blend in and avoid detection. This tactic involves leveraging legitimate tools and behaviors to maintain a low profile and evade suspicion.
Nation-state actors, like the Kremlin’s Cozy Bear group, have also engaged in identity-based attacks, utilizing tactics such as credential phishing via Microsoft Teams messages to pilfer MFA tokens for Microsoft 365 accounts.
Overall, the trend of using valid credentials for initial access enables attackers to circumvent detection measures, emphasizing the critical importance of safeguarding identities in the face of evolving cyber threats.