IBM sees global identity crisis emerging: every third attack abused valid accounts

Cyberattackers have shifted their focus from phishing to abusing valid accounts, becoming the cause of one in three attacks globally in 2023, a new X-Force Threat Intelligence Index report reveals. Infostealing malware saw a triple-digit growth.

Last year, X-Force, which is IBM’s security research team, observed a big shift in cyberattacker behavior – they increasingly targeted people’s identities. Attacks using valid credentials represented almost a third of all incidents that X-Force had to respond to for the first time ever. That’s a 71% increase in the volume of such attacks.

“In this era, the focus has shifted towards logging in rather than hacking in, highlighting the relative ease of acquiring credentials compared to exploiting vulnerabilities or executing phishing campaigns,” the IBM report reads.

“Attackers have a historical inclination to choose the path of least resistance.”

This trend is reinforced by a 266% increase in infostealing malware and a 100% increase in so-called “Kerberoasting” attacks for extracting password hashes. All that also indicates that attackers are investing in resourceful ways to impersonate users and escalate privileges.

“This multifaceted shift underscores the symbiotic relationship among various elements in the cybercrime ecosystem.”

Each attack where attackers leverage a valid account for initial access is more complex to defend. To be exact, major incidents with valid identities required 190% greater response measures by defenders in 2023 compared to average incidents. Attackers have recognized the difficulty in distinguishing legitimate logins from unauthorized misuse.

The “newly-found focus on identities highlights organizations’ risks that exist on devices outside of their visibility. Enterprise credential data can be stolen from compromised devices through credential reuse, browser credential stores, or accessing enterprise accounts directly from personal devices,” the IBM Security X-Force Threat Intelligence team warns.

Lack of identity protections doesn’t help, as identification and authentication failures were the second most common among organizations.

The speed of intrusions has also increased due to effective, repeatable attack paths.

Phishing attacks, whether through an attachment, link, or as a service, also comprised 30% of all incidents. However, that reflects a 44% decrease in volume compared to 2022, as cybercriminals shift focus and defenders improve their mitigation techniques.


Phishing attacks might bounce back due to AI implementations.

“It’s worth noting that X-Force assesses that phishing is expected to be one of the first malicious use cases of AI that cybercriminals will invest in, theorizing that it’s far from done scaling. In fact, X-Force data shows that AI can generate a deceptive phish in 5 minutes, a potential time savings of nearly two days for attackers,” researchers write.

Overall, last year, Europe ranked first, experiencing the highest number of cybersecurity incidents globally, accounting for 32% of total incidents. North America was the second most impacted region globally, with a 26% share.

Ransomware in decline

Ransomware remained the most common action that threat actors took on victims' networks, as evident in 20% of cases.

However, in total, ransomware attacks on enterprises saw a nearly 12% drop last year, as larger organizations opted against paying and decrypting in favor of rebuilding their infrastructure, according to IBM.

“This drop is likely to impact adversaries’ revenue expectations from encryption-based extortion,” the researchers said.

That contributes to a 266% upsurge in the use of infostealers.

“X-Force has observed threat groups who have previously specialized in ransomware showing increasing interest in infostealers. And a number of prominent new infostealers recently debuted and demonstrated increased activity in 2023, such as Rhadamanthys, LummaC2, and StrelaStealer.”

While zero-day vulnerabilities garner notoriety, the reality is that they make up a very small percentage of the vulnerability attack surface – just 3% of total vulnerabilities tracked by X-Force.

Last year, only 172 new zero-day vulnerabilities were discovered, which is a 72% drop.

“Although X-Force observed a notable drop in ransomware attacks on enterprises in 2023, extortion-based attacks continue to be a driving force of cybercrime this past year. These extortion-based attacks were only surpassed by data theft and leak as the most common impact observed in X-Force incident response engagements globally,” the report reads.

Attacks on generative AI are not profitable enough ­– yet

X-Force hasn’t been able to confirm the use of gen AI in current malicious campaigns.

“Despite looming gen AI-enabled threats, X-Force hasn’t observed any concrete evidence of generative AI-engineered cyberattacks to date or a rapid shift in attackers’ goals and objectives from previous years.”

While attackers are showing some interest in how AI can optimize their attacks, analysis suggests a lack of incentives to attack the AI models themselves.

Researchers expect that when a single generative AI technology approaches 50% market share or when the market consolidates to three or fewer technologies, it will trigger at-scale attacks against these platforms.

“Based on the analysis, X-Force predicts threat actors will begin to target AI broadly once the market coalesces around common deployment models and a small number of vendors,” researchers said.

More from Cybernews:

LockBit cartel disrupted "at every level" – Europol

Tinder pushes users to verify their ID

NASA to stream first US uncrewed commercial Moon landing

Gen Xers not afraid to wear Apple Vison Pro while driving

US House forms AI task force as legislative push stalls

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked