Security experts have warned of a resurgence in kerberoasting attacks amid a period of evolving tactics for cyber crime groups.
Researchers at CrowdStrike recorded a 583% increase in Kerberoasting attacks over the last 12 months, highlighting a major surge in the volume of attacks waged by cyber criminal organizations.
Kerberoasting is far from an emerging attack method for cyber criminals; it has been used plenty in the years since its inception, which is believed to be in 2014.
The attack method focuses specifically on compromising Kerberos authentication protocols, which are used on Windows devices to provide users with access to IT environments based on service principal names (SPNs), CrowdStrike said.
Attackers specifically aim to target and steal encrypted Kerberos tickets that contain authentication credentials, which can be brute-forced to uncover plaintext credentials.
This method is particularly effective, and if done correctly can offer cyber criminals the “keys to the kingdom”, according to Zeki Turedi, field CTO for EMEA at CrowdStrike.
Turedi told ITPro that the recent surge in Kerberoasting attacks can be part-attributed to the fact that enterprises globally operate “completely different infrastructures” compared to several years ago.
The influx of businesses to the cloud during the pandemic, combined with the continued use of IT estates laden with legacy kit, has prompted threat actors to capitalize on these techniques to gain access to IT environments.
“By using these attacks, you basically can get full access to the whole environment. So it's a really, really good means for criminal organizations to target a business and get the keys to the kingdom and be able to move across the infrastructure via cloud, or via physical or legacy types of architecture,” Turedi said.
RELATED RESOURCE
Build a cyber-resilient organization where people, technology, and processes work seamlessly together.
“So, if they’re smart enough to utilize these techniques, they have a very high chance to have full reign over an IT infrastructure,” he added.
Turedi said that a key factor in the ongoing surge and successful use of Kerberoasting techniques is due to the difficulty organizations have in identifying whether they have been compromised off the back of an attack.
This method allows threat actors to essentially “fly under the radar” within IT environments and grants a degree of flexibility for intruders.
“It’s very hard for organizations to identify because of the legacy infrastructure being used and the sheer noise it creates,” he told ITPro. “So unless you really know what you're doing from a cyber security perspective, it's very, very hard to detect.”
Running parallel with ransomware
Turedi said that the use of Kerberoasting attacks should be of particular concern for organizations due to the fact that they can be used in parallel with ransomware activities, or as an alternative to traditional methods.
The typical tactic of encrypting and locking down systems, then demanding a ransom can, to an extent, be disregarded in favor of this attack method.
Many security researchers, including CrowdStrike, have observed an uptick in encryptionless ransomware attacks this year - attacks that involve an element of ransoming victims, but without the use of encryptors or lockers.
Kerberoasting is a technique attackers have adopted to carry out these types of attacks too, with the data stolen then used to blackmail organizations into complying with ransom demands.
In all, Kerberoasting gives threat actors a broader variety of weapons in their arsenal, Turedi said.
“We are still seeing adversaries using the traditional disruption techniques to take ransoms - so encrypting systems, taking them offline, and then demanding a ransom,” he said.
“The interesting situation we’re in today is that the adversary now has multiple methods to threaten the victim. So, it could be data disruption, or it could be we’ve stolen your data and we’re going to leak it. The choices available to the e-crime group mean that, depending on the situation they’re in, they can go different ways, or both in some cases.”
This two-pronged approach of Kerberoasting and traditional ransomware attacks represents a major threat to organizations, especially given the speed at which threat actors are now able to compromise systems.
CrowdStrike’s Threat Hunting Report shows that adversary breakout times have now hit an average “all-time low” of just 79 minutes, marking a shift from 84 minutes in 2022.
The fastest breakout recorded over the last 12 months was just seven minutes, the report noted. With this in mind, Turedi said that many organizations simply cannot contend with the speed and sophistication of techniques now being employed by cyber criminal groups.
“We’re not dealing with one-trick-pony type of criminals anymore,” he said. “If we look at the breakout stats in the report, that’s a really good indication of that growing sophistication.
“That data shows that the adversary is getting quicker, they’re able to attack organizations quicker, and when you put that with the fact they’re using more complex techniques like Kerberoasting, that shows they’re getting far more sophisticated.”
-
Pure Storage’s expanded partner ecosystem helps fuel Q3 growthNews The data storage vendor has announced a 16% year-over-year revenue hike in its latest earnings report, driven by continued channel and product investment
-
Partners have been ‘critical from day one’ at AWS, and the company’s agentic AI drive means they’re more important than everNews The hyperscaler is leaning on its extensive ties with channel partners and systems integrators to drive AI adoption
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
