Abuse of valid accounts by threat actors hits a high, says IBM

For years, cybersecurity experts have been warning organizations of the importance of identity and access management processes — including password management and protection against compromise of multifactor authentication — to secure IT assets.

A new report from IBM, released Wednesday, suggests failure to do that is increasingly costing firms badly.

Abusing valid accounts was in a three-way tie as the most common way threat actors entered organizations’ IT environments in incidents that IBM’s X-Force intelligence service investigated in 2023.

Graphic from IBM X-Force 2024 report
Source: IBM

It represented 30 per cent of initial entry vectors for incidents studied, tying with phishing. Exploiting public-facing applications was right up there, with 29 per cent of incidents.

The position of abusing valid accounts is even more notable because it was quite a jump over 2022’s report, when it was the initial access vector of 16 per cent of incidents looked at that year.

Attackers have a historical inclination to choose the path of least resistance in pursuit of their objectives, says the report.

“In this era, the focus has shifted towards logging in rather than hacking in, highlighting the relative ease of acquiring credentials compared to exploiting vulnerabilities or executing phishing campaigns,” it noted.

“As defenders increase their detection and prevention capabilities, attackers are finding that obtaining valid credentials is an easier route to achieving their goals, considering the alarming volume of compromised yet valid credentials available—and easily accessible—on the dark web.”

Researchers found that cloud account credentials alone make up 90 per cent of cloud assets for sale on the dark web. That, the report says, makes it easy for threat actors to take over legitimate user identities to establish access into IT environments. Attacker use of valid accounts as an initial access vector appears to have a significant impact on the required response efforts as well, the report adds.

Another related significant finding: A 100 per cent increase in “Kerberoasting.” It’s a technique focused on compromising Microsoft Windows Active Directory credentials through Kerberos tickets. This indicates a technique shift in how attackers are acquiring identities to carry out their operations, the report notes.

Perhaps no coincidence, researchers saw a 266 per cent increase in the use of information stealers — which steal credentials as well as other computer information — by threat actors last year.

In nearly 85 per cent of incidents on critical infrastructure that X-Force responded to, the initial access vector could have been mitigated with best practices and security fundamentals, such as asset and patch management, credential hardening, and the principle of least privilege.

Among Canadian data pulled from the numbers gathered by IBM, half of attacks here were against the government sector. Compared to other countries, Canada had the most security incidents on government entities responded to by X-Force.

The IBM X-Force Threat Intelligence Index 2024 report is available here. Registration is required.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.