CrowdStrike report reveals rise in cyber threats & intrusions

CrowdStrike has released its annual Threat Hunting Report for 2024, revealing significant trends in cyber threats, particularly the continued sophistication of nation-state and eCrime adversaries. The report sheds light on the exploitation of legitimate credentials to breach security systems and evade detection.

According to the findings, adversaries linked to North Korea, notably the group identified as FAMOUS CHOLLIMA, have infiltrated over 100 primarily U.S.-based technology companies. These infiltrations were carried out through a scheme involving malicious insiders who used falsified or stolen identity documents to secure employment as remote IT staff. Through this method, they gained access to sensitive data and engaged in various forms of malicious activities.

Further underlining the report's findings, a Tennessee man was apprehended by the Justice Department last week. He is accused of being involved in a FAMOUS CHOLLIMA scheme that aimed to help North Korean IT workers secure remote positions at Fortune 500 companies, thereby facilitating their access to critical corporate networks.

The report also highlighted a substantial 55% increase in hands-on-keyboard intrusions. These types of threats involve adversaries actively interacting with systems, thus mimicking legitimate users and bypassing traditional security measures. Significantly, 86% of these intrusions have been attributed to eCrime adversaries, with notable increases in the healthcare sector (75%) and the technology sector (60%). The technology sector has been the most targeted for seven consecutive years.

Additionally, the abuse of Remote Monitoring and Management (RMM) tools has surged by 70%, with adversaries such as CHEF SPIDER (eCrime) and STATIC KITTEN (linked to Iran) misusing these tools. Legitimate RMM applications like ConnectWise ScreenConnect have been exploited for endpoint breaches, contributing to 27% of all hands-on-keyboard intrusions.

Cross-domain attacks have been another significant area of concern. These attacks involve threat actors using valid credentials to breach cloud environments and subsequently accessing endpoints. Such techniques leave minimal traces in individual domains, making detection challenging.

Cloud-focused adversaries, exemplified by SCATTERED SPIDER (eCrime), are reportedly using social engineering tactics, policy alterations, and access to password managers to infiltrate cloud systems. These actors exploit the connections between the cloud control plane and endpoints to move laterally, ensure persistence, and extract data.

Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, commented on the evolving threat landscape: "For over a decade, we’ve vigilantly tracked the most prolific hacktivist, eCrime, and nation-state adversaries. In tracking nearly 250 adversaries this past year, a central theme emerged—threat actors are increasingly engaging in interactive intrusions and employing cross-domain techniques to evade detection and achieve their objectives. Our comprehensive, human-led threat hunting directly informs the algorithms that power the AI-native Falcon platform, ensuring that we stay ahead of these evolving threats and continue to deliver the industry's most effective cybersecurity solutions."