Cyberattacks using valid user credentials spiked by 71% in 2023, according to a study by IBM. According to the report by its security team X-Force, abuse of legitimate credentials constituted a third of all cyberattacks on enterprises. Additionally, cybercriminal groups that previously relied on ransomware for their ill-gotten gains were observed pivoting to infostealers.
“While ‘security fundamentals’ doesn’t get as many head turns as ‘AI-engineered attacks,’ it remains [the case] that enterprises’ biggest security problem boils down to the basic and known – not the novel and unknown,” said the head of IBM X-Force, Charles Henderson. “Identity is being used against enterprises time and time again, a problem that will worsen as adversaries invest in AI to optimise the tactic.”
Abusing valid user credentials more expedient for hackers
X-Force also observed a 266% year-on-year uptick in the deployment of infostealing malware. Such programs are used to steal data like bank details, email and home addresses, and phone numbers. Used intelligently, and infostealing malware can be used to reconstruct a legitimate identity and spoof corporate cybersecurity measures primarily designed to look out for misaligned credentials. According to the study, these attacks often necessitated much more complex responses by defenders and, according to IBM’s previous ‘Cost of a Data Breach’ report, required an average of 11 months to detect and recover from.
Critical national infrastructure (CNI) appears to be especially vulnerable to these types of cyberattacks. Last year, 85% of the attacks X-Force detected against CNI originated from phishing emails, the exploitation of public-facing applications, and the use of legitimate credentials to simply log into systems. Instances of so-called “kerberoasting” attacks, which involve attackers impersonating users and convincing IT security teams to escalate their privileges – also rose by 100%.
Generative AI set to widen cybersecurity threat
Generative AI will only exacerbate the infostealing threat, said IBM, arguing that once the market for the technology has consolidated to three or fewer products, “it could trigger the maturity of AI as an attack surface, mobilizing further investment in new tools from cybercriminals.”
For the moment, however, the study advised that companies should look to shoring up their cyber-defences against more basic threats. Up to 85% of attacks on critical sectors, said IBM, could have been mitigated with the effective implementation of protocols like multi-factor authentication, the imposition of least-privilege principals, or simply by patching more regularly.
News that cybercriminals increasingly favour abusing valid user credentials to attack corporations over and above hacking into their systems does not surprise ESET’s Jake Moore. “Cybercriminals often log into networks as part of their reconnaissance and research into a potential target company,” Moore told Tech Monitor. “By not immediately stealing or causing visible damage, they aim to remain undetected for as long as possible, increasing their chances of success in subsequent malicious activities. Moreover, doubled up with the latest AI-aided attacks, such threats are becoming more powerful yet timely. It is clear that optimisation and timing are key to remaining under the radar for as long as possible in carrying out such targeted attacks.”