Enterprises monitored by CrowdStrike’s Falcon OverWatch threat hunters faced 77,000 attempts of hands-on, interactive intrusions, or approximately one potential intrusion every seven minutes, between July 1, 2021, and June 30, 2022 — a 50 per cent year-over-year increase, according to a new report from the cyber security vendor.
Breakout time, or the time an adversary takes to move laterally from an initially compromised host to another host within the victim’s environment, fell to one hour and 24 minutes compared to one hour and 38 minutes during the year-earlier period, demonstrating that adversaries continue to sharpen their tradecraft, according to CrowdStrike.
The CrowdStrike research defines interactive intrusion activity as those malicious activities that involve the use of hands-on keyboard techniques, where an adversary is actively interacting with and executing actions on a host in pursuit of their objectives. The term e-crime is the designation that CrowdStrike gives to the malicious intrusion activity that is criminally motivated.
“This type of activity is most commonly characterised as intrusions where adversaries are pursuing financially driven objectives, ransomware, of course, being the most prolific example,” said Nick Lowe, director for Falcon OverWatch at CrowdStrike.
The number of interactive intrusions has risen along with an increase in the number of zero-day vulnerabilities and Common Vulnerabilities and Exposures (CVEs). As of September 1, 2022, there were 13,000 new vulnerabilities disclosed for the year compared to 20,000 publicly disclosed vulnerabilities in all of 2021, noted Overwatch.
Overwatch focuses its hunting operations on post-exploitation behaviours rather than on specific common vulnerabilities and exposures (CVE), Lowe said.
“This approach is critical when one considers those volumes of disclosed vulnerabilities along with some of the observed trends that we see, including exploit chaining, where adversaries are combining multiple discrete series to reach their objectives,” he said.
Adversaries are quick to develop working proof of concepts for newly disclosed vulnerabilities. Zero day vulnerabilities continue to be a big problem for defenders, particularly those who are focused on individual CVEs, which necessitates the requirement for proactive threat hunting as a means to be able to identify and disrupt as yet unknown malicious activity, Lowe said.
Hackers continuously refine tools, techniques
Malicious actors are continually looking for new tools, according to the CrowdStrike research. Cobalt Strike, for example, is an extremely powerful and robust penetration-testing tool that has been adopted by e-crime actors, who leverage both legitimate licenses and pirated copies of the software.
“Adversaries continue to leverage the tool due to its broad feature set and ability to generate command-and-control (C2) implants that are difficult to detect. Cobalt Strike is the gold standard for adversaries and continue to receive regular updates to combat new defences and detection methods,” CrowdStrike noted in the report.
Adversaries also continue to innovate their tactics to remain under the radar and find new attack vectors as defenders close off old ones.
For example, the CrowdStrike researchers observed an increase in phishing attacks using ISO files for delivery of malicious software, in the wake of Microsoft's move to disable internet-enabled macros by default in Office documents.
An ISO file is an exact copy of an entire optical disk such as a CD, DVD, or Blu-ray, archived into a single file.
“We are talking really about the abuse of ISO files; this sort of behaviour is another example of the many ways in which adversaries are continuing to really adapt,” Lowe said.
It is essential that organisations combine their technology-based defences with round-the-clock, human-led threat hunting, in order to make sure that they are best prepared to defend against evolving tradecraft, Lowe said.
In addition to ISO files, researchers observed adversaries using .lnk (Windows shortcut files), .msi (installer files) and .xll (Excel add-in) files as well.
“Adversaries are diversifying their phishing toolkits with understanding that no one technique can be solely relied upon — rather, multiple tools and techniques are necessary to ensure the best chance of gaining access to today’s hardened environment,” the report noted.
Technology industry remains the top target
The technology sector is a popular target for criminals and nation-state adversaries for the fourth year in a row.
“Some of the motivating factors for targeted adversaries that are pursuing objectives against technology targets can include intelligence collections specifically strategic military, economic, or scientific collection requirements, along with attempts to compromise supply chains and trusted relationships,” Lowe said.
The technology sector is the top industry targeted by interactive intrusions, accounting for 19 per cent of all such intrusions in the period studied, according to CrowdStrike.
Interactive intrusion activity against healthcare sector doubled during the period. Interactive activity against academic entities on the other hand increased by around 30 per cent for the period.
Cloud under increasing risk of intrusion
Meanwhile, there is a significant shift under way from on-premises to cloud-based services. Crucial elements of many business processes are on the cloud now, easing file sharing and workforce collaboration.
These same services are increasingly abused by malicious actors, a trend that is likely to continue in the foreseeable future as more businesses seek hybrid work environments, according to new research by CrowdStrike.
“We continue to see increasing efforts on the part of adversaries to target cloud-based assets. So now more than ever, it’s critical for organisations to deploy that mix of technology-based controls and human-led hunting to be best positioned to combat these evolving cloud threats,” Lowe said.
To defend themselves, organisations must invest to learn to harden their defences against cloud resources, and not assume the default security settings are the best settings for their organisations, according to CrowdStrike.