Hackers move from initial compromise to a second host in 90 minutes: CrowdStrike

IT security teams have about 90 minutes to detect and prevent an e-crime attacker moving from an initially compromised host to another host, according to a new report.

According to Crowdstrike’s annual Global Threat Report, the breakout time for hands-on eCrime intrusion activity in 2021 — where such a metric could be derived from attacks it examined —  was an average of 1 hour and 38 minutes. That was just slightly above the average time in 2020.

“eCrime adversaries continue to show a high degree of sophistication, as evidenced by the speed at which they can move through a victim environment, leaving a very short window for defenders to respond,” says the report.

Threat actors continue to exploit vulnerabilities across endpoints and cloud environments, the report says, and to ramp up innovation on how they use identities and stolen credentials to bypass legacy defenses.

Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, the report also says. Instead they often use legitimate credentials and tools included in IT systems (known as “living off the land” (LOTL)) to evade detection by legacy antivirus products.

Of all detections indexed by CrowdStrike in the fourth quarter of 2021, 62 per cent were malware-free.

Another significant finding is that Chinese-based threat actors are creating exploits of newly-discovered software vulnerabilities faster than ever. Last year these groups exploited 12 vulnerabilities affecting nine different products. Ten named adversaries or activity clusters were linked to the exploitation of these vulnerabilities and a number of other incidents were identified in which activity was likely linked to unnamed Chinese actors, the report says.

“For years, Chinese actors relied on exploits that required user interaction,
whether by opening malicious documents or other files attached to emails or visiting websites hosting malicious code. In contrast, exploits deployed by these actors in 2021 focused heavily on vulnerabilities in internet-facing devices or services,” the report says.

For example, last year Chinese threat actors focused on exploiting a series of vulnerabilities in Microsoft Exchange — now collectively known as ProxyLogon and ProxyShell. They also continued to exploit internet-routing products such as VPNs and routers for both infrastructure acquisition and initial access purposes, says the report. Enterprise software products hosted on internet-facing servers, such as Zoho ManageEngine, Atlassian Confluence and GitLab, were also popular targets.

The report also covers Russian-based threat actors. For example, it says the group known to many researchers as Fancy Bear — associated with the 85th Main Center of the Special Services (aka Military Unit 26165) of Russia’s Main Intelligence Directorate (GRU) — decreased their use of malware last year to shift toward increased use of credential-harvesting tactics including both large-scale scanning techniques and victim-tailored phishing websites.

The group known as Cozy Bear used authentication cookie theft last year to bypass multifactor authentication (MFA) restrictions. This technique leverages existing local network access and has been used to access user accounts that have enterprise cloud service privileges, the report says.

Among the report’s recommendations to defenders:

  • protect all workloads;
  • invest in speed and agility to help make tactical decisions;
  • know your enemy;
  • eliminate misconfigurations.

The report can be downloaded here. Registration is required.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now