The number of Kerberoasting identity attacks has increased nearly six times in the past year. Legitimate RMM-tools (Remote Monitoring and Management), on the other hand, are used by hackers three times as much last year. These trends mainly seem to show that hackers are looking for ways to stay in a company network unseen for longer. Identity-based intrusions are increasingly favoured by hackers. Last year, the number of Kerberoasting identity attacks increased by 583 percent.
Obtain AD credentials – Kerbroasting Attack
The purpose of a Kerberoasting attack is to obtain the credentials for Active Directory (AD) service accounts. Kerberos is a type of authentication that works through a unique identifier associated with the Network Controller service instance. This identifier is also called a Service Principal Name (SPN).
In a Kerberoasting attack, hackers request a Kerberos ticket for an SPN through an authorised domain user. The Kerberos ticket is encrypted, but hackers try to crack this mechanism to get the password from the service account.
Since the hacker can then legitimately log into an AD service account, the intrusion often remains undetected by IT teams. Many traditional security tools do not monitor the behaviour of authorised users, which works to the hacker’s advantage in a Kerberoating attack. Overall, 62 percent of all interactive break-ins involved misusing valid accounts. It Also gives hackers more options, because they often get more rights that are linked to the account.
The report provides some tips to detect this type of attack more quickly. For example, it is wise to regularly check Windows Event logs to determine whether a high number of login attempts followed each other. You also need look for Kerberos network traffic with RC4 encryption; this type of encryption is insecure. As always it is very important that all accounts have a strong password.
Bypass detection as a target
Another notable trend is the tripling in the use of legitimate RMM (Remote Monitoring & Management) tools. These tools are used by managed service providers (MSPs) to monitor and manage customers’ IT environments. This is again very interesting for hackers to evade detection and blend into the noise of the company. Possible follow-up steps after the initial intrusion include stealing sensitive data, deploying ransomware, or installing custom follow-up tactics.
Hackers operate faster
However hackers are certainly not trying to go unnoticed longer because they really need that time. The average time it takes an attacker to go from the original attack to other hosts in the victim’s environment fell below its previous all-time low. The average will now be 79 minutes in 2023. The fastest breakout time of the year was recorded at just seven minutes.
Tech-Wales Cyber Security
To adequately secure your organisation, it is important that you understand the different types of risks it can be exposed to. Understanding the threat areas, creating a sound telecommuting policy and remediation plan, as well as investing in a strong cybersecurity solution are useful ways to protect your organisation against cybercriminals.
At Tech-Wales we offer excellent cyber security services and cyber security consulting for your business. Also have a look at disaster recovery services. Do not leave your cyber security to chance and contact us today!