IT security teams have about 90 minutes to detect and prevent an e-crime attacker moving from an initially compromised host to another host, according to a new report.
According to Crowdstrike’s annual Global Threat Report, the breakout time for hands-on eCrime intrusion activity in 2021 — where such a metric could be derived from attacks it examined — was an average of 1 hour and 38 minutes. That was just slightly above the average time in 2020.
“eCrime adversaries continue to show a high degree of sophistication, as evidenced by the speed at which they can move through a victim environment, leaving a very short window for defenders to respond,” says the report.
Threat actors continue to exploit vulnerabilities across endpoints and cloud environments, the report says, and to ramp up innovation on how they use identities and stolen credentials to bypass legacy defenses.
Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, the report also says. Instead they often use legitimate credentials and tools included in IT systems (known as “living off the land” (LOTL)) to evade detection by legacy antivirus products.
Of all detections indexed by CrowdStrike in the fourth quarter of 2021, 62 per cent were malware-free.
Another significant finding is that Chinese-based threat actors are creating exploits of newly-discovered software vulnerabilities faster than ever. Last year these groups exploited 12 vulnerabilities affecting nine different products. Ten named adversaries or activity clusters were linked to the exploitation of these vulnerabilities and a number of other incidents were identified in which activity was likely linked to unnamed Chinese actors, the report says.
“For years, Chinese actors relied on exploits that required user interaction,
whether by opening malicious documents or other files attached to emails or visiting websites hosting malicious code. In contrast, exploits deployed by these actors in 2021 focused heavily on vulnerabilities in internet-facing devices or services,” the report says.
For example, last year Chinese threat actors focused on exploiting a series of vulnerabilities in Microsoft Exchange — now collectively known as ProxyLogon and ProxyShell. They also continued to exploit internet-routing products such as VPNs and routers for both infrastructure acquisition and initial access purposes, says the report. Enterprise software products hosted on internet-facing servers, such as Zoho ManageEngine, Atlassian Confluence and GitLab, were also popular targets.
The report also covers Russian-based threat actors. For example, it says the group known to many researchers as Fancy Bear — associated with the 85th Main Center of the Special Services (aka Military Unit 26165) of Russia’s Main Intelligence Directorate (GRU) — decreased their use of malware last year to shift toward increased use of credential-harvesting tactics including both large-scale scanning techniques and victim-tailored phishing websites.
The group known as Cozy Bear used authentication cookie theft last year to bypass multifactor authentication (MFA) restrictions. This technique leverages existing local network access and has been used to access user accounts that have enterprise cloud service privileges, the report says.
Among the report’s recommendations to defenders:
- protect all workloads;
- invest in speed and agility to help make tactical decisions;
- know your enemy;
- eliminate misconfigurations.
The report can be downloaded here. Registration is required.