{"id":88433,"date":"2023-03-07T17:00:44","date_gmt":"2023-03-07T17:00:44","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4045696"},"modified":"2023-03-07T17:00:44","modified_gmt":"2023-03-07T17:00:44","slug":"crowdstrike-attackers-focusing-on-cloud-exploits-data-theft","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=88433","title":{"rendered":"CrowdStrike: Attackers focusing on cloud exploits, data theft"},"content":{"rendered":"<figure id=\"attachment_4021010\" aria-describedby=\"caption-attachment-4021010\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-4021010\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/03\/crowdstrike-attackers-focusing-on-cloud-exploits-data-theft.jpg\" alt=\"A cloud and security symbol over a globe of connected internet of things devices.\" width=\"770\" height=\"433\"><figcaption id=\"caption-attachment-4021010\" class=\"wp-caption-text\">Image: Ar_TH\/Adobe Stock<\/figcaption><\/figure>\n<p>CrowdStrike, a cybersecurity firm that tracks the activities of global threat actors, reported the largest increase in adversaries it has ever observed in one year \u2014&nbsp; identifying 33 new threat actors and a 95% increase in attacks on cloud architectures. Cases involving \u201ccloud-conscious\u201d actors nearly tripled from 2021.<\/p>\n<p>\u201cThis growth indicates a larger trend of e-crime and nation-state actors adopting knowledge and tradecraft to increasingly exploit cloud environments,\u201d said CrowdStrike in its <a href=\"https:\/\/go.crowdstrike.com\/2023-global-threat-report?utm_campaign=brand&amp;utm_content=crwd-treq-en-x-tct-us-psp-x-trl-brnd-x_x_x_x-reports&amp;utm_medium=sem&amp;utm_source=bing&amp;utm_term=crowdstrike%202021%20global%20threat%20report&amp;msclkid=20c0d0ec9b7a1dcfa9bfb4eed5fa28c1\" target=\"_blank\" rel=\"noopener noreferrer\">2023 Global Threat Report<\/a>.<\/p>\n<p>Jump to:<\/p>\n<h2 id=\"skies\">Skies are overcast for cloud security<\/h2>\n<p>Besides the raft of new threat actors in the wilds that it pinpointed, CrowdStrike\u2019s report also identified a surge in identity-based threats, cloud exploitations, nation-state espionage and attacks that re-weaponized previously patched vulnerabilities.<\/p>\n<aside class=\"pinbox right\">\n<h3 class=\"heading\">Must-read security coverage<\/h3>\n<\/aside>\n<p>Also, cloud exploitation increased three-fold, with threat actors focused on infiltrating containers and other components of cloud operations, according to Adam Meyers, senior vice president of intelligence at CrowdStrike.<\/p>\n<p>\u201cThis was a massive uptick,\u201d Meyers said, pointing out that there were 288 cloud-attack incidents last year, and that the tectonic shift of enterprises to cloud-native platforms makes the environment attractive to hackers.<\/p>\n<p>\u201cFifteen years ago, Mac computers were more secure than any other, and the reason was not because Macs were inherently secure, it was because they constituted such a small portion of the market that attackers didn\u2019t prioritize them,\u201d Meyers said, adding that cloud was in the same position. \u201cIt was out there but not in the actors\u2019 interest to attack.<\/p>\n<p>\u201cToday you get <a href=\"https:\/\/www.techrepublic.com\/article\/on-premise-vs-cloud-security\/\">cloud security<\/a> right out of the box, but you need to continuously monitor it as well as make changes and customize it, which changes an organization\u2019s cloud-facing security posture.\u201d<\/p>\n<p>CrowdStrike said cloud-conscious actors gain initial cloud access by using valid accounts, resetting passwords or placing <a href=\"https:\/\/www.techrepublic.com\/videos\/web-shells-top-5-things-to-know\/\">web shells<\/a> designed to persist in the system, then attempting to get access via <a href=\"https:\/\/www.techrepublic.com\/article\/how-to-protect-your-organizations-single-sign-on-credentials-from-compromise\/\">credentials<\/a> and cloud providers\u2019 instance metadata services.<\/p>\n<p>In most cases, threat actors took such malicious actions as removing account access, terminating services, destroying data and deleting resources. The report found that:<\/p>\n<ul>\n<li>80% of cyberattacks used identity-based techniques to compromise legitimate credentials and to try to evade detection.<\/li>\n<li>There was a 112% year-over-year increase in advertisements for access-broker services \u2014 part of the e-crime threat landscape involved with selling access to threat actors.<\/li>\n<\/ul>\n<h2 id=\"defenders\">With defenders\u2019 scanning for malware, data extraction is easier<\/h2>\n<p>The CrowdStrike cybersecurity research tracked a continued shift away from malware use last year, with malware-free activity accounting for 71% of all detections in 2022 \u2014 up from 62% in 2021. This was partly related to adversaries\u2019 prolific abuse of valid credentials to facilitate access and persistence in victim environments.<\/p>\n<p>Martin Mao, CEO of cloud observation company Chronosphere, said the ubiquity of endpoint monitoring in real time made the insertion of malware less attractive.<\/p>\n<p>\u201cMalware is not only a lot easier to monitor now; there are standardized solutions to solve these kinds of attacks providing network infrastructure to mitigate them,\u201d said Mao.<\/p>\n<p>Last week\u2019s revelation of an attack on password manager <a href=\"https:\/\/www.techrepublic.com\/article\/lastpass-releases-new-security-incident-disclosure-recommendations\/\">LastPass<\/a>, with 25 million users, says a lot about the difficulty of defending against data thieves entering either by social engineering or vulnerabilities not usually targeted by malware. The insurgency, the second attack against LastPass by the same actor, was possible because the attack targeted a vulnerability in media software on an employee\u2019s home computer, releasing to the attackers a trove of unencrypted customer data.<\/p>\n<p>\u201cHow do you detect compromise of credentials?\u201d said Mao. \u201cThere is no way to find that; no way for us to know about it, partly because the attack area is so much larger and almost impossible to oversee.\u201d<\/p>\n<h3>Cybercriminals shifting from ransomware to data theft for extortion<\/h3>\n<p>There was a 20% increase in the number of adversaries conducting data theft and extortion last year, by CrowdStrike\u2019s reckoning.<\/p>\n<p>One attacker, which CrowdStrike dubbed Slippery Spider, launched high-profile attacks in February and March 2022 that, according to the report, included data theft and extortion targeting Microsoft, Nvidia, Okta, Samsung and others. The group used public Telegram channels to leak data including victims\u2019 source code, employee credentials and personal information.<\/p>\n<p>Another group, Scattered Spider, focused social engineering efforts on customer relationship management and business process outsourcing, using phishing pages to capture authentication credentials for Okta, VPNs or edge devices, according to CrowdStrike. Scattered Spider would get targets to share multi-factor authentication codes or overwhelm them with notification fatigue.<\/p>\n<p>\u201cData extortion is way easier than deploying ransomware,\u201d said Meyers. \u201cYou don\u2019t have as much risk of detection as you would with malware, which is by definition malicious code, and companies have tools to detect it. You are removing that heavy lift.\u201d<\/p>\n<p><strong>SEE: <\/strong><a href=\"https:\/\/www.techrepublic.com\/article\/new-national-cybersecurity-strategy\/\"><strong>New National Cybersecurity Strategy: resilience, regs, collaboration and pain (for attackers)<\/strong><\/a><strong> (TechRepublic)<\/strong><\/p>\n<h2 id=\"zero\">Zero trust is key to malware-free insurgency<\/h2>\n<p>The movement by threat actors away from ransomware and toward data exfiltration reflects a balance shift in the world of hacktivists, state actors and cybercriminals: It\u2019s easier to grab data than launch malware attacks because many companies now have robust anti-malware defenses in place at their endpoints and at other infrastructure vantage points, according to Meyers, who added that data extortion is as powerful an incentive to ransom as locked systems.<\/p>\n<p>\u201cCriminals doing data extortion are indeed changing the calculus behind ransomware,\u201d said Meyers. \u201cData is the thing most critical to organizations, so this necessitates a different way of looking at a world where people are weaponizing information by, for example, threatening to leak data to disrupt an organization or country.\u201d<\/p>\n<p>Meyers said zero trust is the way to counter this trend because minimizing access, which flips the \u201ctrust then verify\u201d model of infrastructure security, makes lateral movement by an attacker much more difficult, as more checkpoints exist at the weakest access points: verified employees who can be tricked.<\/p>\n<h2 id=\"worldwide\">Worldwide growth in hacktivists, nation-state actors and cybercriminals<\/h2>\n<p>CrowdStrike added Syria, Turkey and Columbia to its existing lineup of malefactor host countries, per Meyers, who said interactive intrusions in general were up 50% last year. This suggests that human adversaries are increasingly hoping to evade antivirus protection and machine defenses.<\/p>\n<p><strong>SEE: <\/strong><a href=\"https:\/\/www.techrepublic.com\/article\/lastpass-releases-new-security-incident-disclosure-recommendations\/\"><strong>LastPass releases new security incident disclosure and recommendations<\/strong><\/a><strong> (TechRepublic)<\/strong><\/p>\n<p>Among its findings was that legacy vulnerabilities like <a href=\"https:\/\/www.techrepublic.com\/article\/open-source-code-software-risk\/#:~:text=on%20December%2014%2C%202022%2C%202%3A14%20PM%20PST%20As,open%20source%20community%E2%80%99s%20efforts%20to%20%E2%80%9Ccredit-rate%E2%80%9D%20the%20risk.\">Log4Shell<\/a>, keeping pace with ProxyNotShell and Follina \u2014 just two of Microsoft\u2019s 28 zero days and 1,200 patches \u2014 were broadly exploited as nation-nexus and e-crime adversaries circumvented patches and side-stepped mitigations.<\/p>\n<p>Of note:<\/p>\n<ul>\n<li>China-nexus espionage surged across all 39 global industry sectors and 20geographic regions.<\/li>\n<li>Threat actors are getting faster; the average e-crime breakout time is now 84 minutes \u2014 down from 98 minutes in 2021. CrowdStrike\u2019s Falcon team measures breakout time as the time an adversary takes to move laterally, from an initially compromised host to another host within the victim environment.<\/li>\n<li>CrowdStrike noted a rise in vishing to direct victims to download malware and SIM swapping to circumvent multi-factor authentication.<\/li>\n<li>CrowdStrike saw a jump in Russia-nexus actors employing intelligence gathering tactics and even fake ransomware, suggesting the Kremlin\u2019s intent to widen targeting sectors and regions where destructive operations are considered politically risky.<\/li>\n<\/ul>\n<h2 id=\"rogue\">A rogues\u2019 gallery of jackals, bears and other adversaries<\/h2>\n<p>With the newly tracked adversaries, CrowdStrike said it is now following more than 200 actors. Over 20 of the new additions were e-crime adversaries, including adversaries from China and Russia. They include actors CrowdStrike has named Buffalo (Vietnam), Crane (Republic of Korea), Kitten (Iran), Leopard (Pakistan) and the Hacktivist group Jackal as well as other groups from Turkey, India, Georgia, China and North Korea.<\/p>\n<p>CrowdStrike also reported that one actor, Gossamer Bear, performed credential-phishing operations in the first year of the Russia-Ukraine conflict, targeting government research labs, military suppliers, logistics companies and non-governmental organizations.<\/p>\n<h2 id=\"key\">Versatility key to cloud defenders and engineers<\/h2>\n<p>Attackers are using a variety of TTPs to shoehorn their way into cloud environments and move laterally. Indeed, CrowdStrike saw an increased use of both valid cloud accounts and public-facing applications for initial cloud access. The company also reported a greater number of actors aiming for cloud account discovery versus cloud infrastructure discovery and use of valid higher-privileged accounts.<\/p>\n<p>Engineers working on cloud infrastructure and applications need to be increasingly versatile, understanding not only security but how to manage, plan, architect and monitor cloud systems for a business or enterprise.<\/p>\n<p>To learn about cloud engineering responsibilities and skill sets, download the <a href=\"https:\/\/www.techrepublic.com\/resource-library\/whitepapers\/hiring-kit-cloud-engineer\/\">Cloud Engineer Hiring Kit<\/a> at TechRepublic Premium.<\/p>\n<p><strong>Read next: <\/strong><a href=\"https:\/\/www.techrepublic.com\/article\/traditional-security-fails-to-protect-against-ransomware\/\"><strong>How traditional security tools fail to protect companies against ransomware<\/strong><\/a><strong> (TechRepublic)<\/strong><\/p>\n<p> <!-- default newsletter at the end --> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Image: Ar_TH\/Adobe Stock CrowdStrike, a cybersecurity firm that tracks the activities of global threat actors, reported the largest increase in adversaries it has ever observed in one year \u2014&nbsp; identifying 33 new threat actors and a 95% increase in attacks on cloud architectures. Cases involving \u201ccloud-conscious\u201d actors nearly tripled from 2021. \u201cThis growth indicates a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":88434,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,783,56,696,202,287],"tags":[],"class_list":["post-88433","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-cloudsync","category-cybersecurity","category-malware","category-ransomware","category-security"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88433","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=88433"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88433\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/88434"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=88433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=88433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=88433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}