Stealthy Kerberoasting attacks surge and lend support to latest ransomware trend

Security experts have warned of a resurgence in kerberoasting attacks amid a period of evolving tactics for cyber crime groups. 

Researchers at CrowdStrike recorded a 583% increase in Kerberoasting attacks over the last 12 months, highlighting a major surge in the volume of attacks waged by cyber criminal organizations.

Kerberoasting is far from an emerging attack method for cyber criminals; it has been used plenty in the years since its inception, which is believed to be in 2014. 

The attack method focuses specifically on compromising Kerberos authentication protocols, which are used on Windows devices to provide users with access to IT environments based on service principal names (SPNs), CrowdStrike said. 

Attackers specifically aim to target and steal encrypted Kerberos tickets that contain authentication credentials, which can be brute-forced to uncover plaintext credentials. 

This method is particularly effective, and if done correctly can offer cyber criminals the “keys to the kingdom”, according to Zeki Turedi, field CTO for EMEA at CrowdStrike. 

Turedi told ITPro that the recent surge in Kerberoasting attacks can be part-attributed to the fact that enterprises globally operate “completely different infrastructures” compared to several years ago. 

The influx of businesses to the cloud during the pandemic, combined with the continued use of IT estates laden with legacy kit, has prompted threat actors to capitalize on these techniques to gain access to IT environments. 

“By using these attacks, you basically can get full access to the whole environment. So it's a really, really good means for criminal organizations to target a business and get the keys to the kingdom and be able to move across the infrastructure via cloud, or via physical or legacy types of architecture,” Turedi said. 

“So, if they’re smart enough to utilize these techniques, they have a very high chance to have full reign over an IT infrastructure,” he added. 

Turedi said that a key factor in the ongoing surge and successful use of Kerberoasting techniques is due to the difficulty organizations have in identifying whether they have been compromised off the back of an attack. 

This method allows threat actors to essentially “fly under the radar” within IT environments and grants a degree of flexibility for intruders. 

“It’s very hard for organizations to identify because of the legacy infrastructure being used and the sheer noise it creates,” he told ITPro. “So unless you really know what you're doing from a cyber security perspective, it's very, very hard to detect.”

Running parallel with ransomware

Turedi said that the use of Kerberoasting attacks should be of particular concern for organizations due to the fact that they can be used in parallel with ransomware activities, or as an alternative to traditional methods. 

The typical tactic of encrypting and locking down systems, then demanding a ransom can, to an extent, be disregarded in favor of this attack method. 

Many security researchers, including CrowdStrike, have observed an uptick in encryptionless ransomware attacks this year - attacks that involve an element of ransoming victims, but without the use of encryptors or lockers.

Kerberoasting is a technique attackers have adopted to carry out these types of attacks too, with the data stolen then used to blackmail organizations into complying with ransom demands.

In all, Kerberoasting gives threat actors a broader variety of weapons in their arsenal, Turedi said.

“We are still seeing adversaries using the traditional disruption techniques to take ransoms - so encrypting systems, taking them offline, and then demanding a ransom,” he said. 

“The interesting situation we’re in today is that the adversary now has multiple methods to threaten the victim. So, it could be data disruption, or it could be we’ve stolen your data and we’re going to leak it. The choices available to the e-crime group mean that, depending on the situation they’re in, they can go different ways, or both in some cases.”

This two-pronged approach of Kerberoasting and traditional ransomware attacks represents a major threat to organizations, especially given the speed at which threat actors are now able to compromise systems. 

CrowdStrike’s Threat Hunting Report shows that adversary breakout times have now hit an average “all-time low” of just 79 minutes, marking a shift from 84 minutes in 2022. 

The fastest breakout recorded over the last 12 months was just seven minutes, the report noted. With this in mind, Turedi said that many organizations simply cannot contend with the speed and sophistication of techniques now being employed by cyber criminal groups. 

“We’re not dealing with one-trick-pony type of criminals anymore,” he said. “If we look at the breakout stats in the report, that’s a really good indication of that growing sophistication. 

“That data shows that the adversary is getting quicker, they’re able to attack organizations quicker, and when you put that with the fact they’re using more complex techniques like Kerberoasting, that shows they’re getting far more sophisticated.”