The number of Kerberoasting identity attacks has increased almost sixfold in the past year. Legitimate RMM tools, in turn, are being used three times more by hackers. Above all, these trends seem to show that hackers are looking for ways to fool around unseen in a corporate network for a longer period.
Identity-based intrusions are gaining traction with hackers. Last year, for example, the number of Kerberoasting identity attacks increased by 583 percent. This is according to the CrowdStrike 2023 Threat Hunting Report, which analyzes cyber attacks between July 2022 and June 2023 that were spotted by CrowdStrike’s elite threat hunters and information analysts.
Obtaining AD login data
A Kerberoasting attack aims to obtain the login credentials for Active Directory (AD) service accounts. Kerberos is a type of authentication that works through a unique identifier associated with the Network Controller service instance. This identifier is also called a Service Principal Name (SPN).
Hackers in a Kerberoasting attack request a Kerberos ticket for an SPN through an authorized domain user. The Kerberos ticket is encrypted, but hackers attempt to crack this mechanism to obtain the password to the service account.
Since the hacker can then legitimately log into an AD service account, the intrusion usually remains under the radar of IT teams. Many traditional security tools do not monitor the behavior of authorized users, which works in the hacker’s favor during a Kerberoating attack. Overall, valid accounts were misused in 62 percent of all interactive intrusions. In addition, it gives hackers more opportunities by often giving them more permissions associated with the account.
The report provides some tips on detecting this type of attack more quickly. For example, it is wise to regularly check Windows Event logs to see if many login attempts followed each other in a short period of time. Next, you better watch out for Kerberos network traffic with RC4 encryption, as this type of encryption is insecure. Finally, all accounts must have strong passwords.
Bypassing detection as a goal
Another notable trend pointed out by the report is the tripling in the use of legitimate RMM (Remote Monitoring & Management) tools. These tools are deployed by managed service providers (MSPs) to monitor and manage customers’ IT environments. Again, this is very interesting for hackers to bypass detection and blend into the noise of the enterprise. Possible follow-up steps after the initial intrusion include stealing sensitive data, implementing ransomware or installing customized follow-up tactics.
The study also confirms the findings of CISA. That U.S. body warned early this year that “cybercriminals can use any legitimate RMM software with malicious intent.” The warning followed the discovery of a widespread cyber campaign in which cybercriminals sent phishing emails to get users to download malicious RMM software.
Hackers are operating faster
It is definitely not the case that hackers really need more time in a corporate network. The average time it takes for an attacker to go from the original attack to other hosts in the victim’s environment lowered again, below the previous lowest point ever. The average now comes in at 79 minutes in 2023. In addition, the fastest breakout time of the year was recorded at just seven minutes.
“When we talk about stopping breaches, we cannot ignore the fact that adversaries are getting faster and faster and are using tactics deliberately designed to circumvent traditional detection methods. Security leaders must therefore ask their teams whether they have the right solutions in place to stop an attacker’s lateral movements in as little as seven minutes,” said Adam Meyers, head of Counter Adversary Operations at CrowdStrike.