Malicious actors increasingly put privileged identity access to work across attack chains – Source: www.csoonline.com

Abuse of legitimate privileged access is on the rise, accounting for the majority of security breaches last year, with stolen user identities being leveraged by malicious actors across various parts of the attack chain.

More effective and more challenging to detect, the breaches, including ransomware extortions, were achieved by stealing various types of identifiers, including traditional login credentials, session tokens, API keys, and digital certificates, according to Cisco Talos’ newly released 2024 Year in Review report.

The incident response team from Cisco Talos observed identity compromises in over 60% of cases they investigated last year; for ransomware incidents, the rate was even higher, at 70%. This is the result of credential dumping from infected devices and techniques aimed to defeat multi-factor authentication (MFA) implementations.

“Difficult to prevent and even harder to detect, identity-based attacks proved to be highly effective in 2024, allowing adversaries to go unnoticed for longer periods of time by using compromised valid accounts, foregoing the use of detectable malware, and sometimes leading to unfettered access to entire networks,” the Talos team wrote in its report.

Obtaining initial access with valid accounts

Ransomware gangs stand out for their extensive use of stolen credentials as a means of initial access into corporate networks. These groups often buy this access from threat actors known as initial access brokers (IABs) in the cybercriminal ecosystem.

Bulk lists of credentials commonly sell for $10 to $15 on the dark web, though experienced actors can charge between $1,000 and $3,000 for access to high-profile companies that can potentially be extorted for a lot of money, according to the Talos researchers.

Many of these credentials are extracted from computers using so-called infostealer malware, malicious programs that scour the operating system and installed applications for saved usernames and passwords, browser session tokens, SSH and VPN certificates, API keys, and more.

The advantage of using stolen credentials for initial access is that they require less skill compared to exploiting vulnerabilities in publicly facing applications or tricking users into installing malware from email links or attachments — although these initial access methods remain popular as well.

According to the report, 20% of ransomware attacks involved exploiting known vulnerabilities and 12% relied on drive-by compromise. Phishing also remains high on the list of initial access methods, being observed in almost a quarter of all incidents investigated by the Talos Incident Response team last year.

Attackers continue to impersonate popular brands in their phishing messages, with Microsoft Outlook, Apple, LinkedIn, Amazon, PayPal, Shein, Prime, and Netflix among the top abused brands. But more enterprise-specific services and terms are also frequently used, including DHL Express, Confluence, SharePoint Online, WordPress, HR Department, Docusign, Accounts Payable, Support, and Admin.

Malicious links are by far the most popular phishing method, used by 58% of rogue emails, followed by malicious attachments (25%) and voice phishing (17%).

Lateral movement: Leveraging privileged access to act in plain sight

Once situated on the corporate network, compromised credentials also allow attackers to expand access to other internal systems with a reduced likelihood of being discovered or triggering malware detection.

According to Talos, nearly half of investigated identity attacks targeted Active Directory, with another 20% targeting cloud applications. Dumping credentials stored in the operating system’s credential stores is a very popular technique, as evidenced by open-source credential dumping tool Mimikatz being the top LOLBin (living-off-the-land binary) observed by Talos IR during its investigations.

PsExec, the second-most popular LoLBin, can be used to execute processes and open command shells on other Windows systems remotely by using valid credentials such as those extracted by Mimikatz. Popular free tools abused in attacks also include remote desktop clients such as RDPclip, AnyDesk, Splashtop, and RDP. These are all perfect for lateral movement, as they are not by nature malware, but rather common tools used by system administrators.

“While the majority of actors targeted credentials in LSASS memory and Active Directory, we also saw a variety of other techniques in this threat category, including attempts to extract credentials from the Security Account Manager (SAM) database, attempts to access cached domain credentials, the use of a technique called DCSync to abuse a Windows Domain Controller’s API, and attempts to access Local Security Authority (LSA) secrets — which can contain a variety of different credential materials — which adversaries can obtain with system access to a host,” the Talos team observed.

Education, public administration, manufacturing, and healthcare entities saw the highest number of ransomware attacks last year. Organizations from these sectors tend to have weaker network segmentation and large attack surfaces in terms of the number of devices and servers, providing attackers with more opportunities to perform lateral movement once they gain access to valid identities.

“In August 2024, a Cisco customer in the manufacturing sector reported that multiple endpoint detection and response (EDR) solutions had unexpectedly been uninstalled from servers hosted in the organization’s managed data center, including two domain controllers, potentially indicating threat actors had full Active Directory domain access,” the Talos teams wrote. “In this investigation, Talos IR observed evidence suggesting the actor had compromised the Active Directory in preparation for deploying ransomware. The adversary leveraged ADExplorer, a utility that is part of the suite of the Sysinternals admin tools, to browse the different domains in the environment and dump the Active Directory database.”

As the most widely used authentication and authorization solution in enterprise IT, Active Directory (AD) is a gold mine for attackers. It’s critical for organizations to follow industry best practices when configuring and designing security policies for Active Directory.

Accessing cloud assets in hybrid environments

Most organizations’ infrastructure extends to the cloud, with services linking Azure Active Directory with local AD installations. Because of this, attackers have become apt at jumping from cloud environments into local networks or the reverse, extending the types of credentials system admins need to protect by adding API keys and session tokens to the mix.

“Skilled actors have created tooling that is freely available on the open web, easy to deploy, and designed to specifically target cloud environments,” the Talos researchers found. “Some examples include ROADtools and AAAInternals, publicly available frameworks designed to enumerate Microsoft Entra ID environments. These tools can collect data on users, groups, applications, service principals, and devices, and execute commands.”

These are often coupled with techniques designed to exploit the lack of MFA or incorrectly configured MFA. For example, push spray attacks, also known as MFA bombing or MFA fatigue, rely on bombing the user with MFA push notifications on their phones until they get annoyed and approve the login thinking it’s probably the system malfunctioning.

Other techniques involve tricking victims into enrolling a new MFA-approved device under their accounts, or to use a phishing kit that proxies requests in real-time to the legitimate website and asks the victim to provide the MFA code themselves.

In one example Talos IR investigated, attackers compromised a university with more than 100,000 users by tricking a system admin to click on an authentication link that added the attacker’s device to the university’s MFA-approved list. The attackers already had the administrator’s username and password, likely from a separate breach or an IAB.

With access to the admin’s account, the attackers sent highly credible phishing emails to other users throughout the organization. One of the biggest pitfalls in this case was that the university had more than 50 accounts with admin privileges, all of which were external contractors, significantly increasing the chances one could be compromised.

With the rise of gen AI chatbots and increasingly sophisticated large language models in recent years, phishing attacks are becoming more varied, sophisticated, and harder to spot, which means that identity-based attacks are even more likely to occur. According to Talos, social engineering was the top observed use of AI for both cybercriminal and state-sponsored cyberespionage groups last year.

Mitigations

“We frequently observe accounts (i.e., user, admin, and service) with excessive or incorrect privileges, accounts with weak or default passwords, flat network architectures, and missing or misconfigured MFA,” the Talos team said. “Our recommendations for mitigating Active Directory compromises are in line with CISA’s strategies to mitigate the 17 most common techniques used by adversaries and malicious actors to compromise Active Directory.”

Since an increasing number of attacks against organizations rely on identity-based techniques, the Talos team strongly advises turning on MFA for accounts and services that don’t have it configured. For example, enterprise VPN accounts often lack this added protection, based on Talos’ observations. But simply adding MFA isn’t enough if it’s not properly configured and account activity is not monitored for suspicious behavior.

Educating users on MFA exhaustion attacks and enforcing stricter MFA prompt thresholds per IP or device is also recommended, as well as enabling higher security factors such as challenge-response authentication where users are also presented with security questions they must answer. Organizations should also continuously monitor new MFA device enrollments and enforce stricter policies for such enrollment if possible.