Attackers prefer compromised valid accounts over phishing or any other infection methods to gain access into victim environments, according to an IBM report.
âAs defenders increase their detection and prevention capabilities, attackers are finding that obtaining valid credentials is an easier route to achieving their goals, considering the alarming volume of compromised yet valid credentials available â and easily accessible â on the dark web,â IBM said in the report.
The report, which is based on IBM X-Forceâs penetration testing data from incidents in 2023, also found security misconfigurations and poor authentication enforcement as top application security risks opening organizations to identity-based attacks.
Additionally, the report identified a drop in enterprise ransomware incidents as organizations either had tools to prevent such attacks or were prepared to refuse payment in favor of rebuilding infrastructure if attacked.
Attackers preferred using available hacked credentials
Thirty percent of all the incidents X-Force responded to in 2023 were from abusing valid accounts as it became the most common entry point into victim systems for the year. There was a 71% year-over-year increase in the volume of such attacks, according to the report.
Following closely as the second most used initial access vector, phishing lost its top spot in 2022, recording a 44% drop in the volume of attacks. The X-Force team attributed the significant drop to the continued adoption and revaluation of phishing mitigation techniques and strategies, on top of attackers shifting to valid accounts.
âIn terms of phishing, while I believe that the threat remains in the critical category for organizations, because many phishing campaigns seek account credentials as the primary outcome, if cybercriminals have access to valid account credentials via other means (as noted in the report), the need to run a phishing campaign will decline,â said Michael Sampson, principal analyst at Osterman Research. âIf this trend continues, we could expect to see future phishing campaigns becoming ever more targeted as cybercriminals seek to compromise accounts that they canât get via other means.â
Lack of basic security opened organizations to attacks
The report identified âsecurity misconfigurationsâ as the top web application risk as they accounted for 30% of all application vulnerabilities, with âallowing concurrent user sessionsâ in the application being the top offense, which could weaken multi-factor authentication (MFA) through session hijacking.
Identification and authentication failures, at 21%, were the second leading risk including weak password policies such as Active Directory password policies (19%), usernames verifiable through errors (17%), Server Message Block (SMB) signing not required and URLs containing sensitive information at 8% each.
Apart from just being a concern, lack of security due diligence also contributed to a large number of actual attacks in 2023 as the report indicated that in 84% of critical infrastructure incidents, the initial access vectors could have been mitigated with basic security routines.
âFor a majority of incidents on critical infrastructure that X-Force responded to, the initial access vector could have been mitigated with best practices and security fundamentals, such as asset and patch management, credential hardening, and the principle of least privilege,â the report added.
Decline in ransomware attacks
Ransomware incidents observed an 11.5% drop in 2023, which can be attributed to larger organizations being able to stop attacks before ransomware is deployed and sometimes also opting against paying and decrypting in favor of rebuilding if ransomware takes hold, according to the report.
âYes, there is global pushback on paying a ransom, although this may just push the payment and disclosure of payment away from public disclosure,â Sampson added. âIn terms of rebuilding infrastructure, it can be done, but it requires a disciplined process of frequent backup and strong recovery protocols to be established before a successful ransomware infection. If those arenât in place before an infection, the organization is out of luck. Backup has become a critical business resilience priority, not just an IT maintenance issue.â
Threat actors who have previously specialized in ransomware are showing increasing interest in info stealers, according to the report.
âThese shifts suggest that threat actors have revalued credentials as a reliable and preferred initial access vector,â added the report. âAs threat actors invest in infostealers to grow their credential repository, enterprises are pushed into a new defense landscape where identity can no longer be guaranteed.â There was a 266% increase in infostealer-related activities in 2023 compared to 2022, with several new infostealers debuting in the latter half of 2022, such as Rhadamanthys, LummaC2 and StrelaStealer. The uptrend of these info-stealing activities has likely contributed to the rise in abuse of valid accounts, the report added.