Attackers are moving away from using malware and are accelerating their lateral movement in compromised networks, with organisations overwhelmed by vulnerabilities, a new report from CrowdStrike says.
The report makes grim reading, even allowing for infosec industry hyperbole. Malware use is unnecessary when prolific abuse of valid credentials (bought and sold in criminal forums) is so ubiquitous, it notes.
The report suggests that attackers are becoming more organised, more capable, and more ambitious. It also paints a picture of stretched and reactive IT departments struggling to keep up with the threat landscape.
By the numbers, OverWatch says its threat hunters detected and stopped 77,000 potential intrusions over the 12 months from 1 July 2021 to 30 June 2022 – or around one every seven minutes.
It saw a 50% increase in “interactive” intrusion campaigns (ie ones which were performed by a person, rather than an automated tool), with cybercrime (which CrowdStrike refers to as “eCrime”) the most prevalent threat.
Criminal attackers are some of the most accomplished, according to the report, which notes 30% of their intrusions see lateral movement from one host to another achieved within 30 minutes.
Follow The Stack on LinkedIn
“Of attributable intrusions, OverWatch tracked 12 named eCrime threat actors; of these, PROPHET SPIDER was the most prolific, responsible for more than twice as many attributed interactive intrusions than the next most active eCrime actor... PROPHET SPIDER is likely an access broker — an actor that gains access with the intention to sell that access for profit rather than carrying out actions on objectives directly,” said the report.
Also notable is the dramatic shift away from malware: CrowdStrike said 71% of detections it indexed did not use malware. They had easier options: “This is related, in part, to adversaries’ prolific abuse of valid credentials to facilitate access and persistence in victim environments. Another contributing factor is the rate at which new vulnerabilities are being disclosed and the speed with which adversaries are able to operationalize exploits.”
Those new vulnerabilities continue to climb, with more than 20,000 reported in 2021, “surpassing any previous year” – and more than 10,000 more vulns reported as of 30 June 2022. The effect this is having on organisations is… not good.
“Many organizations get caught in a reactive cycle of putting out the fires of individual vulnerabilities in the short term, while failing to adequately address the risks of these vulnerabilities in the long term. As a result, legacy vulnerabilities often remain unpatched, leaving organizations susceptible to exploit chaining in which adversaries combine newly publicized vulnerabilities with older, overlooked exploits,” said the report.
The unpatched vulnerabilities problem is neatly illustrated by the continuing exploitation of the ProxyShell exploit chain, which uses three vulnerabilities in the Microsoft Exchange server to gain RCE.
“Notably, while the ProxyShell vulnerabilities were disclosed in the first half of 2021, OverWatch has continued to observe numerous instances of attempted exploitation deep into 2022,” the report said.
“It is telling of the defensive challenges facing organizations that even 12 months on, adversaries continue to have success with older, widely publicized and patchable exploits.”
The report also noted attackers’ ability to chain exploits – as with ProxyShell – can give them a powerful advantage: “The practice of exploit chaining enables adversaries to reach their objectives quickly, allowing them to outmaneuver defenders that continue to focus on reactively mitigating individual vulnerabilities. Such an approach does little to curtail a determined adversary that will simply pivot if one exploit attempt proves unsuccessful.”
Lateral movement from host to cloud on the rise
Among several interesting case studies in the report is an insight into how some attackers are taking advantage of privileged cloud access from vulnerable hosts. It details how in late 2021 an unknown Chinese actor – already well dug into a gaming organisation’s systems – was exploring the environment and attempting to entrench its access.
“The adversary then discovered that one of the compromised hosts had access to the victim organization’s Amazon Web Services (AWS) console environment. Knowing they could access the AWS console environment via the AWS command line interface, the adversary quickly changed their focus and began to perform extensive discovery commands using the AWS command line interface and EC2 Instance Connect,” the report explained.
“The adversary used the
aws command to query for metadata on all EC2 instances in the environment, which included information about security groups, network configuration and identifiers associated with each host. They also queried for the password security policy that had been configured in IAM for the victim’s AWS environment.”
As a result of this lateral movement to the victim's AWS systems, the attacker got a good look at configuration files for AWS, Docker, Jenkins, Ansible and other cloud-focused applications. A second case study showed how an attacker gained access to an organisation’s Microsoft 365 environment, and then via Azure to on-prem domain accounts.
Despite the downbeat nature of the report, CrowdStrike did offer one optimistic note: “While this situation may seem insurmountable, defenders have one very important fact on their side: Adversaries frequently adhere to common patterns of post-exploitation tradecraft. Threat hunters are therefore able to uncover malicious activity regardless of the initial access vector, effectively disarming the CVE or zero-day exploit.”
All you need, then, is a team of threat hunters...