CrowdStrike: Attackers focusing on cloud exploits, data theft
Ar_TH/Adobe
Stock
CrowdStrike,
a
cybersecurity
firm
that
tracks
the
activities
of
global
threat
actors,
reported
the
largest
increase
in
adversaries
it
has
ever
observed
in
one
year
—
identifying
33
new
threat
actors
and
a
95%
increase
in
attacks
on
cloud
architectures.
Cases
involving
“cloud-conscious”
actors
nearly
tripled
from
2021.
“This
growth
indicates
a
larger
trend
of
e-crime
and
nation-state
actors
adopting
knowledge
and
tradecraft
to
increasingly
exploit
cloud
environments,”
said
CrowdStrike
in
its
2023
Global
Threat
Report.
Jump
to:
Skies
are
overcast
for
cloud
security
Besides
the
raft
of
new
threat
actors
in
the
wilds
that
it
pinpointed,
CrowdStrike’s
report
also
identified
a
surge
in
identity-based
threats,
cloud
exploitations,
nation-state
espionage
and
attacks
that
re-weaponized
previously
patched
vulnerabilities.
Also,
cloud
exploitation
increased
three-fold,
with
threat
actors
focused
on
infiltrating
containers
and
other
components
of
cloud
operations,
according
to
Adam
Meyers,
senior
vice
president
of
intelligence
at
CrowdStrike.
“This
was
a
massive
uptick,”
Meyers
said,
pointing
out
that
there
were
288
cloud-attack
incidents
last
year,
and
that
the
tectonic
shift
of
enterprises
to
cloud-native
platforms
makes
the
environment
attractive
to
hackers.
“Fifteen
years
ago,
Mac
computers
were
more
secure
than
any
other,
and
the
reason
was
not
because
Macs
were
inherently
secure,
it
was
because
they
constituted
such
a
small
portion
of
the
market
that
attackers
didn’t
prioritize
them,”
Meyers
said,
adding
that
cloud
was
in
the
same
position.
“It
was
out
there
but
not
in
the
actors’
interest
to
attack.
“Today
you
get
cloud
security
right
out
of
the
box,
but
you
need
to
continuously
monitor
it
as
well
as
make
changes
and
customize
it,
which
changes
an
organization’s
cloud-facing
security
posture.”
CrowdStrike
said
cloud-conscious
actors
gain
initial
cloud
access
by
using
valid
accounts,
resetting
passwords
or
placing
web
shells
designed
to
persist
in
the
system,
then
attempting
to
get
access
via
credentials
and
cloud
providers’
instance
metadata
services.
In
most
cases,
threat
actors
took
such
malicious
actions
as
removing
account
access,
terminating
services,
destroying
data
and
deleting
resources.
The
report
found
that:
-
80%
of
cyberattacks
used
identity-based
techniques
to
compromise
legitimate
credentials
and
to
try
to
evade
detection. -
There
was
a
112%
year-over-year
increase
in
advertisements
for
access-broker
services
—
part
of
the
e-crime
threat
landscape
involved
with
selling
access
to
threat
actors.
With
defenders’
scanning
for
malware,
data
extraction
is
easier
The
CrowdStrike
cybersecurity
research
tracked
a
continued
shift
away
from
malware
use
last
year,
with
malware-free
activity
accounting
for
71%
of
all
detections
in
2022
—
up
from
62%
in
2021.
This
was
partly
related
to
adversaries’
prolific
abuse
of
valid
credentials
to
facilitate
access
and
persistence
in
victim
environments.
Martin
Mao,
CEO
of
cloud
observation
company
Chronosphere,
said
the
ubiquity
of
endpoint
monitoring
in
real
time
made
the
insertion
of
malware
less
attractive.
“Malware
is
not
only
a
lot
easier
to
monitor
now;
there
are
standardized
solutions
to
solve
these
kinds
of
attacks
providing
network
infrastructure
to
mitigate
them,”
said
Mao.
Last
week’s
revelation
of
an
attack
on
password
manager
LastPass,
with
25
million
users,
says
a
lot
about
the
difficulty
of
defending
against
data
thieves
entering
either
by
social
engineering
or
vulnerabilities
not
usually
targeted
by
malware.
The
insurgency,
the
second
attack
against
LastPass
by
the
same
actor,
was
possible
because
the
attack
targeted
a
vulnerability
in
media
software
on
an
employee’s
home
computer,
releasing
to
the
attackers
a
trove
of
unencrypted
customer
data.
“How
do
you
detect
compromise
of
credentials?”
said
Mao.
“There
is
no
way
to
find
that;
no
way
for
us
to
know
about
it,
partly
because
the
attack
area
is
so
much
larger
and
almost
impossible
to
oversee.”
Cybercriminals
shifting
from
ransomware
to
data
theft
for
extortion
There
was
a
20%
increase
in
the
number
of
adversaries
conducting
data
theft
and
extortion
last
year,
by
CrowdStrike’s
reckoning.
One
attacker,
which
CrowdStrike
dubbed
Slippery
Spider,
launched
high-profile
attacks
in
February
and
March
2022
that,
according
to
the
report,
included
data
theft
and
extortion
targeting
Microsoft,
Nvidia,
Okta,
Samsung
and
others.
The
group
used
public
Telegram
channels
to
leak
data
including
victims’
source
code,
employee
credentials
and
personal
information.
Another
group,
Scattered
Spider,
focused
social
engineering
efforts
on
customer
relationship
management
and
business
process
outsourcing,
using
phishing
pages
to
capture
authentication
credentials
for
Okta,
VPNs
or
edge
devices,
according
to
CrowdStrike.
Scattered
Spider
would
get
targets
to
share
multi-factor
authentication
codes
or
overwhelm
them
with
notification
fatigue.
“Data
extortion
is
way
easier
than
deploying
ransomware,”
said
Meyers.
“You
don’t
have
as
much
risk
of
detection
as
you
would
with
malware,
which
is
by
definition
malicious
code,
and
companies
have
tools
to
detect
it.
You
are
removing
that
heavy
lift.”
SEE:
New
National
Cybersecurity
Strategy:
resilience,
regs,
collaboration
and
pain
(for
attackers)
(TechRepublic)
Zero
trust
is
key
to
malware-free
insurgency
The
movement
by
threat
actors
away
from
ransomware
and
toward
data
exfiltration
reflects
a
balance
shift
in
the
world
of
hacktivists,
state
actors
and
cybercriminals:
It’s
easier
to
grab
data
than
launch
malware
attacks
because
many
companies
now
have
robust
anti-malware
defenses
in
place
at
their
endpoints
and
at
other
infrastructure
vantage
points,
according
to
Meyers,
who
added
that
data
extortion
is
as
powerful
an
incentive
to
ransom
as
locked
systems.
“Criminals
doing
data
extortion
are
indeed
changing
the
calculus
behind
ransomware,”
said
Meyers.
“Data
is
the
thing
most
critical
to
organizations,
so
this
necessitates
a
different
way
of
looking
at
a
world
where
people
are
weaponizing
information
by,
for
example,
threatening
to
leak
data
to
disrupt
an
organization
or
country.”
Meyers
said
zero
trust
is
the
way
to
counter
this
trend
because
minimizing
access,
which
flips
the
“trust
then
verify”
model
of
infrastructure
security,
makes
lateral
movement
by
an
attacker
much
more
difficult,
as
more
checkpoints
exist
at
the
weakest
access
points:
verified
employees
who
can
be
tricked.
Worldwide
growth
in
hacktivists,
nation-state
actors
and
cybercriminals
CrowdStrike
added
Syria,
Turkey
and
Columbia
to
its
existing
lineup
of
malefactor
host
countries,
per
Meyers,
who
said
interactive
intrusions
in
general
were
up
50%
last
year.
This
suggests
that
human
adversaries
are
increasingly
hoping
to
evade
antivirus
protection
and
machine
defenses.
SEE:
LastPass
releases
new
security
incident
disclosure
and
recommendations
(TechRepublic)
Among
its
findings
was
that
legacy
vulnerabilities
like
Log4Shell,
keeping
pace
with
ProxyNotShell
and
Follina
—
just
two
of
Microsoft’s
28
zero
days
and
1,200
patches
—
were
broadly
exploited
as
nation-nexus
and
e-crime
adversaries
circumvented
patches
and
side-stepped
mitigations.
Of
note:
-
China-nexus
espionage
surged
across
all
39
global
industry
sectors
and
20
geographic
regions. -
Threat
actors
are
getting
faster;
the
average
e-crime
breakout
time
is
now
84
minutes
—
down
from
98
minutes
in
2021.
CrowdStrike’s
Falcon
team
measures
breakout
time
as
the
time
an
adversary
takes
to
move
laterally,
from
an
initially
compromised
host
to
another
host
within
the
victim
environment. -
CrowdStrike
noted
a
rise
in
vishing
to
direct
victims
to
download
malware
and
SIM
swapping
to
circumvent
multi-factor
authentication. -
CrowdStrike
saw
a
jump
in
Russia-nexus
actors
employing
intelligence
gathering
tactics
and
even
fake
ransomware,
suggesting
the
Kremlin’s
intent
to
widen
targeting
sectors
and
regions
where
destructive
operations
are
considered
politically
risky.
A
rogues’
gallery
of
jackals,
bears
and
other
adversaries
With
the
newly
tracked
adversaries,
CrowdStrike
said
it
is
now
following
more
than
200
actors.
Over
20
of
the
new
additions
were
e-crime
adversaries,
including
adversaries
from
China
and
Russia.
They
include
actors
CrowdStrike
has
named
Buffalo
(Vietnam),
Crane
(Republic
of
Korea),
Kitten
(Iran),
Leopard
(Pakistan)
and
the
Hacktivist
group
Jackal
as
well
as
other
groups
from
Turkey,
India,
Georgia,
China
and
North
Korea.
CrowdStrike
also
reported
that
one
actor,
Gossamer
Bear,
performed
credential-phishing
operations
in
the
first
year
of
the
Russia-Ukraine
conflict,
targeting
government
research
labs,
military
suppliers,
logistics
companies
and
non-governmental
organizations.
Versatility
key
to
cloud
defenders
and
engineers
Attackers
are
using
a
variety
of
TTPs
to
shoehorn
their
way
into
cloud
environments
and
move
laterally.
Indeed,
CrowdStrike
saw
an
increased
use
of
both
valid
cloud
accounts
and
public-facing
applications
for
initial
cloud
access.
The
company
also
reported
a
greater
number
of
actors
aiming
for
cloud
account
discovery
versus
cloud
infrastructure
discovery
and
use
of
valid
higher-privileged
accounts.
Engineers
working
on
cloud
infrastructure
and
applications
need
to
be
increasingly
versatile,
understanding
not
only
security
but
how
to
manage,
plan,
architect
and
monitor
cloud
systems
for
a
business
or
enterprise.
To
learn
about
cloud
engineering
responsibilities
and
skill
sets,
download
the
Cloud
Engineer
Hiring
Kit
at
TechRepublic
Premium.
Read
next:
How
traditional
security
tools
fail
to
protect
companies
against
ransomware
(TechRepublic)
About Author
