According to cybersecurity firm CrowdStrike's annual report, cybercriminals are relying less on malware and more on credential hijacking, leading to cyberattacks that are more difficult to detect.
The report states that 68 percent of detections during the previous three months were not malware-based. Rather than writing malware to the endpoint, cybercriminals are using legitimate credentials and built-in tools (living off the land) to achieve their objectives.
The shift is a deliberate effort "to evade detection by traditional antivirus products," the report said.
The report describes an attack scenario identical to the attack on IT management firm SolarWinds. It notes that cybercriminals used "compromised credentials to access an internal code sharing repository." The hackers used the compromised account, which contained source code for a legitimate software that the organization delivered to its customers, to perform discovery and file interaction that gave them "the potential opportunity to maliciously manipulate the software before delivery to end users."
The report also states that, over the past year, hackers have become quicker at moving "from an initially compromised host to another host within the victim environment." The process takes an average of one hour and 32 minutes, which is three times faster than during the previous year. Thirty-six percent of successful cases only took 30 minutes.
The report is based on data from CrowdStrike's customer base, which is indexed by Threat Graph, covering the period of July 1, 2020, through June 30, 2021. Mariam Baksh "Report: Hackers Shift from Malware to Credential Hijacking" nextgov.com (Sep. 08, 2021).