Report: Hackers Shift from Malware to Credential Hijacking

Adversaries are relying less on malware to conduct attacks that are consequently more difficult to detect, according to an annual report released by cybersecurity firm CrowdStrike.

“According to data from our customer base indexed by Threat Graph, 68% of detections from the last three months were not malware-based,” reads the report released Wednesday. “Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, using legitimate credentials and built-in tools (living off the land)—which are deliberate efforts to evade detection by traditional antivirus products.”

The report comes on the heels of guidance and policy documents the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget issued Tuesday to help agencies implement security systems based on the concept of zero trust and to comply with a May 12 executive order. 

The executive order was largely in reaction to a series of hacks, most notably that of the IT management firm SolarWinds, which brought in CrowdStrike to help respond to an attack U.S. officials have attributed to the Russian Foreign Intelligence Service.  

The CrowdStrike report, which covers the period of July 1, 2020 through June 30, 2021, doesn’t mention SolarWinds by name, but in a section on supply chain compromise, it describes the same attack scenario while highlighting the credential-stealing tactic.

“Following the deployment of Falcon in a technology company’s environment, OverWatch hunters uncovered evidence of a deeply embedded hands-on intrusion,” according to the report, referencing CrowdStrike products. “Hunters tracked the activity and found that the adversary was using compromised credentials to access an internal code sharing repository. The source code within the repository was used for a legitimate software product that the victim delivered to its customers. The adversary used this compromised account to perform discovery and file interaction related to this repository, providing them the potential opportunity to maliciously manipulate the software before delivery to end users.”

The zero-trust principle emphasizes constantly checking and verifying the identity users both within and external to a network and employing measures like multifactor authentication that make it harder to impersonate legitimate accounts.

According to the CrowdStrike report, adversaries have also gotten much faster this year at moving “from an initially compromised host to another host within the victim environment.” The average “breakout time,” as it’s called, for the period covered was 1 hour and 32 minutes. That’s three times quicker than observed in the previous year, according to CrowdStrike’s press release. And according to the 2021 report, in 36% of successful cases, the process only took 30 minutes.