Security experts have warned of a resurgence in kerberoasting attacks amid a period of evolving tactics for cyber crime groups.
Researchers at CrowdStrike recorded a 583% increase in Kerberoasting attacks over the last 12 months, highlighting a major surge in the volume of attacks waged by cyber criminal organizations.
Kerberoasting is far from an emerging attack method for cyber criminals; it has been used plenty in the years since its inception, which is believed to be in 2014.
The attack method focuses specifically on compromising Kerberos authentication protocols, which are used on Windows devices to provide users with access to IT environments based on service principal names (SPNs), CrowdStrike said.
Attackers specifically aim to target and steal encrypted Kerberos tickets that contain authentication credentials, which can be brute-forced to uncover plaintext credentials.
This method is particularly effective, and if done correctly can offer cyber criminals the “keys to the kingdom”, according to Zeki Turedi, field CTO for EMEA at CrowdStrike.
Turedi told ITPro that the recent surge in Kerberoasting attacks can be part-attributed to the fact that enterprises globally operate “completely different infrastructures” compared to several years ago.
The influx of businesses to the cloud during the pandemic, combined with the continued use of IT estates laden with legacy kit, has prompted threat actors to capitalize on these techniques to gain access to IT environments.
“By using these attacks, you basically can get full access to the whole environment. So it's a really, really good means for criminal organizations to target a business and get the keys to the kingdom and be able to move across the infrastructure via cloud, or via physical or legacy types of architecture,” Turedi said.
RELATED RESOURCE
Build a cyber-resilient organization where people, technology, and processes work seamlessly together.
“So, if they’re smart enough to utilize these techniques, they have a very high chance to have full reign over an IT infrastructure,” he added.
Turedi said that a key factor in the ongoing surge and successful use of Kerberoasting techniques is due to the difficulty organizations have in identifying whether they have been compromised off the back of an attack.
This method allows threat actors to essentially “fly under the radar” within IT environments and grants a degree of flexibility for intruders.
“It’s very hard for organizations to identify because of the legacy infrastructure being used and the sheer noise it creates,” he told ITPro. “So unless you really know what you're doing from a cyber security perspective, it's very, very hard to detect.”
Running parallel with ransomware
Turedi said that the use of Kerberoasting attacks should be of particular concern for organizations due to the fact that they can be used in parallel with ransomware activities, or as an alternative to traditional methods.
The typical tactic of encrypting and locking down systems, then demanding a ransom can, to an extent, be disregarded in favor of this attack method.
Many security researchers, including CrowdStrike, have observed an uptick in encryptionless ransomware attacks this year - attacks that involve an element of ransoming victims, but without the use of encryptors or lockers.
Kerberoasting is a technique attackers have adopted to carry out these types of attacks too, with the data stolen then used to blackmail organizations into complying with ransom demands.
In all, Kerberoasting gives threat actors a broader variety of weapons in their arsenal, Turedi said.
“We are still seeing adversaries using the traditional disruption techniques to take ransoms - so encrypting systems, taking them offline, and then demanding a ransom,” he said.
“The interesting situation we’re in today is that the adversary now has multiple methods to threaten the victim. So, it could be data disruption, or it could be we’ve stolen your data and we’re going to leak it. The choices available to the e-crime group mean that, depending on the situation they’re in, they can go different ways, or both in some cases.”
This two-pronged approach of Kerberoasting and traditional ransomware attacks represents a major threat to organizations, especially given the speed at which threat actors are now able to compromise systems.
CrowdStrike’s Threat Hunting Report shows that adversary breakout times have now hit an average “all-time low” of just 79 minutes, marking a shift from 84 minutes in 2022.
The fastest breakout recorded over the last 12 months was just seven minutes, the report noted. With this in mind, Turedi said that many organizations simply cannot contend with the speed and sophistication of techniques now being employed by cyber criminal groups.
“We’re not dealing with one-trick-pony type of criminals anymore,” he said. “If we look at the breakout stats in the report, that’s a really good indication of that growing sophistication.
“That data shows that the adversary is getting quicker, they’re able to attack organizations quicker, and when you put that with the fact they’re using more complex techniques like Kerberoasting, that shows they’re getting far more sophisticated.”
-
GitHub just launched a new 'mission control center' for developers to delegate tasks to AI coding agentsNews The new pop-up tool from GitHub means developers need not "break their flow" to hand tasks to AI agents
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransomsNews A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employeesNews The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
