Identity lapses ensnared organizations at scale in 2024  – CyberScoop

Cybercriminals predominantly relied on weaknesses in identity controls to afflict organizations in 2024, with valid accounts being the main way they gained access for the second year in a row, Cisco Talos said in an annual report released Monday.

Across the incident response cases Cisco Talos responded to last year, 60% involved an identity attack component, researchers said. Attackers used legitimate credentials, session cookies and API keys to gain access, achieve lateral movement and escalate privileges on compromised environments.

Identity is a recurring problem for enterprises, reflecting a widespread deficiency attackers have identified in business infrastructure and targeted at scale with great success. This method of intrusion triggers malicious follow-on activities with attackers confronting minimal resistance or detection because the traffic originates from presumably legitimate accounts.

Identity attacks were ubiquitous in the incidents Cisco Talos responded to last year, but the harm dealt to organizations was especially pronounced in ransomware attacks. Half of all identity-based attacks Cisco Talos responded to last year were ultimately executed for ransomware or pre-ransomware operations.

“In many cases, it’s much easier and safer for adversaries to simply log in to legitimate user accounts using stolen credentials than to use more complex means like exploiting vulnerabilities or deploying malware,” Cisco Talos researchers said in the report.

Cybercriminals also used identity-based attacks to steal credentials for illicit sales to initial access brokers in nearly a third of the incidents Cisco Talos investigated last year. Data theft for future espionage or malicious activity was observed in 10% of these cases, and financial fraud was the ultimate goal in 8% of these attacks, the report said.

Cisco Talos researchers found that organizations often fail to properly secure Active Directory, a widely used authentication service containing critical enterprise access information. Threat groups targeted Active Directory in 44% of identity-based attacks.

Many of the successful attacks involving compromised Active Directory environments occurred in enterprise systems with misconfigured security products or insufficient security policies. 

Cisco Talos frequently encountered organizations with excessive or incorrect privileges, accounts with weak or default passwords and missing or misconfigured multifactor authentication. 

MFA weaknesses were the leading deficiency observed by Cisco Talos last year. Through all of the compromised organizations the incident response firm assisted in 2024, 24% were not enrolled in MFA, 22% didn’t have the security measure fully enabled and 19% lacked MFA on virtual private network services. 

These structural security lapses opened a clear path for cybercriminals to carry out widespread ransomware activity. Financially motivated threat groups used valid accounts for initial access in 69% of the ransomware attacks Cisco Talos responded to last year. 

Cisco Talos said its annual report is based on data it received from more than 46 million devices globally.

The post Identity lapses ensnared organizations at scale in 2024 appeared first on CyberScoop.

  –

Read More  – CyberScoop