CrowdStrike today released its 2023 Global Threat Report, revealing the current state of digital security. Among the key findings in the report is that cloud exploitation grew by 95%. Perhaps even more troubling is that there are now more “cloud-conscious” threat actors—that is, attackers with an emphasis on and skills in the cloud—than ever before by a wide margin.
“As organizations are increasingly migrating to the cloud, adversaries are adding the cloud to their targeting repertoire to expand the impact of their intrusions,” Adam Meyers, SVP of Intelligence, CrowdStrike, told SDxCentral. “The goals of adversaries often remain identical or similar in the cloud to their ambitions outside of the cloud—ii.e., gain initial access, gain persistence, and move laterally.”
Less Malware, But More Credential Theft
There was a time when malware was the defining characteristic of online security and attacks, but that’s no longer the case. CrowdStrike reported that the vast majority (71%) of attacks it detected in 2022 did not involve the use of malware, compared to 62% in 2021. Instead of relying on malware, attackers are relying on other techniques including credential theft to gain unauthorized access.
“Ultimately, it all comes down to issues surrounding credential compromise,” Meyers said. “CrowdStrike observed adversaries time and time again moving past malware to infiltrate systems through legitimate credentials.” Infiltration is not the end game for many attackers and often leads to additional exploitation of victims. The 2023 Global Threat Report highlights that CrowdStrike observed a 20% increase in the number of adversaries conducting data theft and extortion campaigns.
Microsoft Vulnerabilities Are a Top Concern
One of the top-level findings in the CrowdStrike report is that adversaries are weaponizing and re-exploiting vulnerabilities.
Meyers noted that attackers are increasingly finding new ways to exploit previously identified bugs. “If the bug has been patched, they will ultimately find ways around the patch,
Meyers added that, in some cases, such as Log4j, attackers have found alternative paths to trigger the bug. In other instances, a bug is found in a common application or library and the use of that library is found in multiple products leading to multiple product vulnerabilities being identified. The other issue is just the sheer volume of vulnerabilities, and in particular, vulnerabilities patched by Microsoft. Meyers noted that Microsoft issued more than 900 patches in 2022 including 30 zero-day patches
“We believe the biggest issue remains with Microsoft vulnerabilities,” Meyers said. “These issues continue to amplify the systemic risk that organizations are facing with the legacy architecture of Microsoft.”
SIM swapping is a type of social engineering attack where an attacker fraudulently transfers a victim’s phone number to a SIM card under their control. Meyers explained that SIM swapping is increasingly used to bypass various multi-factor authentication (MFA) solutions, and continues to be used for scams.
CrowdStrike reported that in 2022, Scattered Spider emerged and heavily targeted Business Process Outsourcing (BPO) companies, which are frequently used for outsourced account support by mobile telecoms. Meyers said that part of the goal was to conduct SIM swapping for profit, potentially targeting crypto traders. The reason SIM swapping persists is that it is inherently present in cellular networks currently,” Meyers said. “The cellular network uses the SIM to identify users, so by swapping the SIM in the account, allows potential MFA bypasses.
