Breakout time, how long it takes for an adversary to start moving laterally across at IT network, reached an all-time low last year. The average fell to 48 minutes, while the fastest breakout time dropped to a mere 51 seconds;Voice phishing (vishing) attacks, where adversaries call victims to amplify their activities with persuasive social engineering techniques, saw explosive growth, up 442% between the first and second halves of 2024.This is part of a trend CrowdStrike sees from commodity malware operators, a shift from phishing to other tactics including callback phishing and help desk social engineering attacks;Attacks related to initial access boomed, accounting for 52% of vulnerabilities observed by CrowdStrike in 2024. Providing access as a service became a thriving business for threat actors, as advertisements for access brokers increased 50% year-over-year;Among nation-states, China-nexus activity surged 150% overall, with some targeted industries suffering 200% to 300% more attacks than the previous year;GenAI played a pivotal role in sophisticated cyberattack campaigns last year. It enabled a North Korean-aligned threat actor dubbed Famous Chollima to create highly convincing fake IT job candidates that infiltrated victim organizations, and it helped China-, Russia-, and Iran-affiliated threat actors conduct AI-driven disinformation and influence operations to disrupt elections.As an example of a malware-free attack, the report outlined tactics used by a threat actor it dubs Curly Spider, which it described as “one of the fastest and most adaptive eCrime adversaries, executing high-speed, hands-on intrusions.”After firing a large volume of spam emails impersonating charities, newsletters, or financial offers to an employee, a gang member calls the target posing as a help desk or IT support member. They claim the spam is caused by malware or outdated spam filters. The employee is told to join a remote session using a tool like Microsoft Quick Assist or TeamViewer (the gang member even helps them download the tool). That lets the attacker into the IT system to download malicious payloads using curl or PowerShell, and to establish persistence through a backdoor. Another common threat actor tactic is calling a targeted organization’s IT help desk pretending to be a legitimate employee, and attempting to persuade support to reset passwords and/or multi-factor authentication (MFA) for an account.
Advice for CISOs: To stop these kinds of attacks, CrowdStrike urges CISOs to require video authentication with government identification for employees who call to request self-service password resets, and to train help desk employees to be cautious when taking password and MFA reset request phone calls made outside of business hours, particularly if an unusually high number of requests is made in a short time frame or if the caller purports to be calling on behalf of a colleague.It also helps to switch to additional, non-push-based authentication such as FIDO2 to prevent account compromise.Meyers also said that, because threat actors are increasingly exploiting unpatched vulnerabilities, CISOs need to change their patch management strategy.Most organizations prioritize patching either by the prevalence of the vulnerability in their IT environment, or by severity using a CVSS criticality score. However, he noted, threat actors these days are chaining low-scoring vulnerabilities that they can use to create a higher criticality vulnerability.”Think about doing your patch management based on what your adversaries are actually exploiting,” Meyers advised CISOs. A vulnerability with a score of 7 may seem high, but not if it’s hard to exploit, he said. On the other hand, a lower severity vulnerability that’s being exploited against your firm’s vertical or geographic region is more important to remediate than others.The full report is available for download. Registration is required.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3836917/cisos-should-address-identity-management-as-fast-as-they-can-says-crowdstrike-exec.html
