CrowdStrike, a cybersecurity firm that tracks the activities of global threat actors, reported the largest increase in adversaries it has ever observed in one year — identifying 33 new threat actors and a 95% increase in attacks on cloud architectures. Cases involving “cloud-conscious” actors nearly tripled from 2021.
“This growth indicates a larger trend of e-crime and nation-state actors adopting knowledge and tradecraft to increasingly exploit cloud environments,” said CrowdStrike in its 2023 Global Threat Report.
Skies are overcast for cloud security
Besides the raft of new threat actors in the wilds that it pinpointed, CrowdStrike’s report also identified a surge in identity-based threats, cloud exploitations, nation-state espionage and attacks that re-weaponized previously patched vulnerabilities.
Also, cloud exploitation increased three-fold, with threat actors focused on infiltrating containers and other components of cloud operations, according to Adam Meyers, senior vice president of intelligence at CrowdStrike.
“This was a massive uptick,” Meyers said, pointing out that there was a 288% increase in “cloud-conscious adversaries” last year, and that the tectonic shift of enterprises to cloud-native platforms makes the environment attractive to hackers.
“Fifteen years ago, Mac computers were more secure than any other, and the reason was not because Macs were inherently secure, it was because they constituted such a small portion of the market that attackers didn’t prioritize them,” Meyers said, adding that cloud was in the same position. “It was out there but not in the actors’ interest to attack.
“Today you get cloud security right out of the box, but you need to continuously monitor it as well as make changes and customize it, which changes an organization’s cloud-facing security posture.”
CrowdStrike said cloud-conscious actors gain initial cloud access by using valid accounts, resetting passwords or placing web shells designed to persist in the system, then attempting to get access via credentials and cloud providers’ instance metadata services.
In most cases, threat actors took such malicious actions as removing account access, terminating services, destroying data and deleting resources. The report found that:
- 80% of cyberattacks used identity-based techniques to compromise legitimate credentials and to try to evade detection.
- There was a 112% year-over-year increase in advertisements for access-broker services — part of the e-crime threat landscape involved with selling access to threat actors.
With defenders’ scanning for malware, data extraction is easier
The CrowdStrike cybersecurity research tracked a continued shift away from malware use last year, with malware-free activity accounting for 71% of all detections in 2022 — up from 62% in 2021. This was partly related to adversaries’ prolific abuse of valid credentials to facilitate access and persistence in victim environments.
Martin Mao, CEO of cloud native observability company Chronosphere, said the ubiquity of endpoint monitoring in real time made the insertion of malware less attractive.
“Malware is not only a lot easier to monitor now; there are standardized solutions to solve these kinds of attacks providing network infrastructure to mitigate them,” said Mao.
Last week’s revelation of an attack on password manager LastPass, with 25 million users, says a lot about the difficulty of defending against data thieves entering either by social engineering or vulnerabilities not usually targeted by malware. The insurgency, the second attack against LastPass by the same actor, was possible because the attack targeted a vulnerability in media software on an employee’s home computer, releasing to the attackers a trove of unencrypted customer data.
“How do you detect compromise of credentials?” said Mao. “There is no way to find that; no way for us to know about it, partly because the attack area is so much larger and almost impossible to oversee.”
Cybercriminals shifting from ransomware to data theft for extortion
There was a 20% increase in the number of adversaries conducting data theft and extortion last year, by CrowdStrike’s reckoning.
One attacker, which CrowdStrike dubbed Slippery Spider, launched high-profile attacks in February and March 2022 that, according to the report, included data theft and extortion targeting Microsoft, Nvidia, Okta, Samsung and others. The group used public Telegram channels to leak data including victims’ source code, employee credentials and personal information.
Another group, Scattered Spider, focused social engineering efforts on customer relationship management and business process outsourcing, using phishing pages to capture authentication credentials for Okta, VPNs or edge devices, according to CrowdStrike. Scattered Spider would get targets to share multi-factor authentication codes or overwhelm them with notification fatigue.
“Data extortion is way easier than deploying ransomware,” said Meyers. “You don’t have as much risk of detection as you would with malware, which is by definition malicious code, and companies have tools to detect it. You are removing that heavy lift.”
SEE: New National Cybersecurity Strategy: resilience, regs, collaboration and pain (for attackers) (TechRepublic)
Zero trust is key to malware-free insurgency
The movement by threat actors away from ransomware and toward data exfiltration reflects a balance shift in the world of hacktivists, state actors and cybercriminals: It’s easier to grab data than launch malware attacks because many companies now have robust anti-malware defenses in place at their endpoints and at other infrastructure vantage points, according to Meyers, who added that data extortion is as powerful an incentive to ransom as locked systems.
“Criminals doing data extortion are indeed changing the calculus behind ransomware,” said Meyers. “Data is the thing most critical to organizations, so this necessitates a different way of looking at a world where people are weaponizing information by, for example, threatening to leak data to disrupt an organization or country.”
Meyers said zero trust is the way to counter this trend because minimizing access, which flips the “trust then verify” model of infrastructure security, makes lateral movement by an attacker much more difficult, as more checkpoints exist at the weakest access points: verified employees who can be tricked.
Worldwide growth in hacktivists, nation-state actors and cybercriminals
CrowdStrike added Syria, Turkey and Columbia to its existing lineup of malefactor host countries, per Meyers, who said interactive intrusions in general were up 50% last year. This suggests that human adversaries are increasingly hoping to evade antivirus protection and machine defenses.
SEE: LastPass releases new security incident disclosure and recommendations (TechRepublic)
Among its findings was that legacy vulnerabilities like Log4Shell, keeping pace with ProxyNotShell and Follina — just two of Microsoft’s 28 zero days and 1,200 patches — were broadly exploited as nation-nexus and e-crime adversaries circumvented patches and side-stepped mitigations.
- China-nexus espionage surged across all 39 global industry sectors and 20 geographic regions.
- Threat actors are getting faster; the average e-crime breakout time is now 84 minutes — down from 98 minutes in 2021. CrowdStrike’s Falcon team measures breakout time as the time an adversary takes to move laterally, from an initially compromised host to another host within the victim environment.
- CrowdStrike noted a rise in vishing to direct victims to download malware and SIM swapping to circumvent multi-factor authentication.
- CrowdStrike saw a jump in Russia-nexus actors employing intelligence gathering tactics and even fake ransomware, suggesting the Kremlin’s intent to widen targeting sectors and regions where destructive operations are considered politically risky.
A rogues’ gallery of jackals, bears and other adversaries
With the newly tracked adversaries, CrowdStrike said it is now following more than 200 actors. Over 20 of the new additions were e-crime adversaries, including adversaries from China and Russia. They include actors CrowdStrike has named Buffalo (Vietnam), Crane (Republic of Korea), Kitten (Iran), Leopard (Pakistan) and the Hacktivist group Jackal as well as other groups from Turkey, India, Georgia, China and North Korea.
CrowdStrike also reported that one actor, Gossamer Bear, performed credential-phishing operations in the first year of the Russia-Ukraine conflict, targeting government research labs, military suppliers, logistics companies and non-governmental organizations.
Versatility key to cloud defenders and engineers
Attackers are using a variety of TTPs to shoehorn their way into cloud environments and move laterally. Indeed, CrowdStrike saw an increased use of both valid cloud accounts and public-facing applications for initial cloud access. The company also reported a greater number of actors aiming for cloud account discovery versus cloud infrastructure discovery and use of valid higher-privileged accounts.
Engineers working on cloud infrastructure and applications need to be increasingly versatile, understanding not only security but how to manage, plan, architect and monitor cloud systems for a business or enterprise.
To learn about cloud engineering responsibilities and skill sets, download the Cloud Engineer Hiring Kit at TechRepublic Premium.
Read next: How traditional security tools fail to protect companies against ransomware (TechRepublic)