‘Hands-on cyber attacks’ make 50% jump in 12 months

According to a new report from CrowdStrike, the breakout time, or the time an adversary takes to move laterally from an initially compromised host to another host within the victim’s environment, fell to one hour and 24 minutes compared to one hour and 38 minutes during the year-earlier period, demonstrating that adversaries continue to sharpen their tradecraft.

The CrowdStrike research team has defined interactive intrusion activity as those malicious activities that involve the use of hands-on keyboard techniques, where an adversary is actively interacting with and executing actions on a host in pursuit of their objectives.

The term e-crime is the designation that CrowdStrike gives to the malicious intrusion activity that is criminally motivated.

This type of activity is most commonly characterised as intrusions where adversaries are pursuing financially driven objectives, according to Nick Lowe, director for Falcon OverWatch at CrowdStrike, who noted that ransomware, of course, being the most prolific example.

The number of interactive intrusions has risen along with an increase in the number of zero-day vulnerabilities and common vulnerabilities and exposures (CVEs). According to the CrowdStrike Overwatch researchers, as of 1 September 2022, there were 13,000 new vulnerabilities disclosed for the year compared to 20,000 publicly disclosed vulnerabilities in all of 2021.

"Overwatch focuses its hunting operations on post-exploitation behaviours rather than on specific common vulnerabilities and exposures," Lowe said.

"This approach is critical when one considers those volumes of disclosed vulnerabilities along with some of the observed trends that we see, including exploit chaining, where adversaries are combining multiple discrete series to reach their objectives."

Lowe further explained that adversaries are quick to develop working proof of concepts for newly disclosed vulnerabilities.

VIEW ALL

"Zero-day vulnerabilities continue to be a big problem for defenders, particularly those who are focused on individual CVEs, which necessitates the requirement for proactive threat hunting as a means to be able to identify and disrupt as yet unknown malicious activity," Lowe added.

Hackers continuously refine tools, techniques

Malicious actors are continually looking for new tools, according to the CrowdStrike research.

Cobalt Strike, for example, is an extremely powerful and robust penetration-testing tool that has been adopted by e-crime actors, who leverage both legitimate licenses and pirated copies of the software.

Adversaries continue to leverage the tool due to its broad feature set and ability to generate command-and-control (C2) implants that are difficult to detect.

"Cobalt Strike is the gold standard for adversaries and continue to receive regular updates to combat new defences and detection methods," CrowdStrike noted in the report.

Adversaries also continue to innovate their tactics to remain under the radar and find new attack vectors as defenders close off old ones. For example, the CrowdStrike researchers observed an increase in phishing attacks using ISO files for delivery of malicious software, in the wake of Microsoft's move to disable internet-enabled macros by default in Office documents.

An ISO file is an exact copy of an entire optical disk such as a CD, DVD, or Blu-ray, archived into a single file.

"We are talking really about the abuse of ISO files; this sort of behaviour is another example of the many ways in which adversaries are continuing to really adapt," Lowe further explained.

It is essential that organisations combine their technology-based defences with round-the-clock, human-led threat hunting, in order to make sure that they are best prepared to defend against evolving tradecraft, Lowe said.

In addition to ISO files, researchers observed adversaries using .lnk (Windows shortcut files), .msi (installer files), and .xll (Excel add-in) files as well.

"Adversaries are diversifying their phishing toolkits with understanding that no one technique can be solely relied upon — rather, multiple tools and techniques are necessary to ensure the best chance of gaining access to today's hardened environment," the CrowdStrike report stated.

Technology industry remains the top target

The technology sector is a popular target for criminals and nation-state adversaries for the fourth year in a row. "Some of the motivating factors for targeted adversaries that are pursuing objectives against technology targets can include intelligence collections specifically strategic military, economic, or scientific collection requirements, along with attempts to compromise supply chains and trusted relationships," Lowe said.

The technology sector is the top industry targeted by interactive intrusions, accounting for 19 per cent of all such intrusions in the period studied, according to CrowdStrike.

Interactive intrusion activity against healthcare sector doubled during the period. Interactive activity against academic entities, on the other hand, increased by around 30 per cent for the period.

Cloud under increasing risk of intrusion

Meanwhile, there is a significant shift underway from on-premises to cloud-based services.

Crucial elements of many business processes are on the cloud now, easing file-sharing and workforce collaboration. These same services are increasingly abused by malicious actors, a trend that is likely to continue in the foreseeable future as more businesses seek hybrid work environments, as CrowdStrike observed.

"We continue to see increasing efforts on the part of adversaries to target cloud-based assets. So now more than ever, it’s critical for organisations to deploy that mix of technology-based controls and human-led hunting to be best positioned to combat these evolving cloud threats," Lowe concluded.

[Related: Hackers hit Queensland government agencies with phishing emails]