CrowdStrike Report Sees Massive Increase in Kerberos Attacks

CrowdStrike has observed huge increases in cyber intrusions involving the abuse of valid accounts including attacks using the Windows Kerberos authentication protocol in the past year, according to its new CrowdStrike 2023 Threat Hunting Report.

The new report saw 62% of hands-on intrusions involving the abuse of valid accounts and a “staggering” 583% increase in attacks using stolen or forged Windows Kerberos tickets, a technique known as “Kerberoasting.”

The Kerberos network authentication protocol allows nodes communicating over a non-secure network, such as the internet, to share their identities with each other. Kerberoasting attacks, meanwhile, steal credentials associated with the protocol to escalate privileges and enable lateral movement within a victim’s IT environment.

A cybercriminal group called Vice Spider was responsible for 27 percent of the Kerberoasting attacks in the past year, said CrowdStrike, an ExtraHop technology partner.

Kerberos grants tickets to provide users with access based on service principal names (SPNs) often tied to existing accounts for network services. Consequently, these attacks “ usually have higher privileges and allow the adversary to extend their reach and gain access to sensitive files or systems,” the report said. “Additionally, these attacks can be challenging to detect because Kerberos activity is so prevalent in everyday telemetry, which allows adversaries to blend into the noise.”

The compromised tickets obtained during a Kerberoasting attack can lead to additional threat activity, including Kerberos golden ticket attacks, which allow an attacker to create Kerberos authentication tickets from a compromised service account.

ExtraHop has been helping customers protect against some Kerberos exploits since November 2020, and many of those capabilities can be seen in the interactive demo. Out of the box, the Reveal(x) platform analyzes nearly 30 different signatures to automatically detect different Kerberos abuse techniques, including indicators of golden ticket attacks. In addition, the platform can decrypt traffic from Windows domain controllers, offering unparalleled visibility into the network.

Attackers Connect to RMM Tools

In addition to Kerberoasting, the CrowdStrike report found a 312 percent increase in adversary use of standard remote access monitoring and management tools during the past year.

“The rampant use of legitimate remote monitoring and management (RMM) tools illustrates adversaries’ attempts to blend into enterprise noise and avoid detection,” the report said. One cybercrime group “utilizes numerous RMM tools, enabling them to avoid detection for protracted periods of time to access sensitive data and–more recently–deploy ransomware.”

In the past year, the CrowdStrike Falcon OverWatch™ managed threat hunting service saw RMM tools such as AnyDesk and ConnectWise ScreenConnect used in about 14% of all intrusions.

Reveal(x) is able to detect the signatures left by the RMM tools often deployed by adversaries when they attempt to execute malicious code on hosts. Attackers will often use this technique when attempting to persist inside the network, exfiltrate data, and establish command-and-control channels.

In addition, the report saw the technology, finance, retail, and healthcare industries as the top targets for threat actors in the past year. The technology sector is often targeted by adversaries engaging in so-called big game hunting (BGH), a type of cyberattack that often uses ransomware to target large, high-profile organizations, the report said.

Zero Trust to the Rescue

Finally, with 62 percent of all interactive intrusions using valid accounts, CrowdStrike advised organizations to regularly audit their user accounts and adopt zero trust approaches to cybersecurity, such as implementing the principle of least privilege for user accounts and role-based access control.

Several organizations have recognized that NDR, when combined with EDR and other technologies, is a key component for network access controls in a zero trust security strategy.

For example, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in its April 2023 ZeroTrust Maturity Model report, advised federal agencies that network and device visibility, two key capabilities of NDR solutions like Reveal(x) 360, are foundational pieces of a zero trust security model.

In addition, the U.S. Department of Defense, in its zero trust strategy, lists more than two dozen essential capabilities that NDR solutions can provide. These include monitoring network users, inspecting connected devices, and analyzing events, activities, and behaviors on the network.

To see how Reveal(x) 360 can defend against these and other top threats from the 2023 Threat Hunting Report, reach out to ExtraHop for a personalized demo.