In its “Global Threat Report” for the year 2022, Elastic emphasizes the vulnerabilities of credentialed access.

Human error is the biggest risk to cloud security. For Elastic, the danger in the cloud lies in credentials. 33% of attacks in the cloud are said to rely on access to credentials. This indicates that users often overestimate the security of their cloud environments and therefore fail to configure and protect them properly.

In its study, Elastic also reports that nearly 57 percent of cloud security telemetry comes from AWS, compared to 22 percent from Google Cloud and 21 percent from Azure. On AWS, more than 74 percent of alerts are related to credentialed access, initial access and persistent tactics. Of these, nearly 57% of the techniques used involve attempts to steal application access tokens, which is one of the most common forms of credential theft in the cloud. On Google Cloud, nearly 54% of alerts are related to service account breaches. 52% of the techniques rely on account manipulation. This proves that service accounts are still being compromised at a rapid rate when their default credentials are not changed. On Azure, over 96% of alerts are related to authentication events. 57% of the techniques target valid accounts in an attempt to recover OAUTH2 tokens. A total of 58% of initial access attempts use a mix of traditional brute force attempts and spraying of previously compromised passwords.
Commercial software as a gateway to the information system

Ultimately, malicious users exploit commercial software designed to assist security teams... beyond the oversight of those same teams. While commercial attack simulation software, such as CobaltStrike, is helping many teams strengthen their environments’ defenses, it is also being exploited by malicious users to plant malware in large numbers in systems. According to Elastic Security Labs’ findings, CobaltStrike, the payload or binary file that most extensively targets Windows endpoints for malicious purposes, accounted for 35 percent of all detections, compared to 25 percent for AgentTesla and 10 percent for RedLineStealer.

More than 54 percent of all global malware infections were detected on Windows endpoints, while more than 39 percent were detected on Linux endpoints. Nearly 81 percent of the malware observed around the globe is based on Trojans, followed by cryptomining at 11 percent. MacKeeper ranked as the top threat to macOS with nearly 48 percent of all detections, with XCSS and taking second place with nearly 17 percent.
Endpoint attacks are diversifying

This Elastic report also indicates that malicious users are using more than 50 endpoint infiltration techniques. This makes their security system effective, as its sophistication drives malicious users to always find a new attack method to achieve their goals. Three MITRE ATT&CK tactics account for 66% of all endpoint infiltration techniques. A total of 74% of all defense evasion techniques consisted of cloaking (44%) and running a binary proxy of the system (30%). Thus, in addition to bypassing security tools, defense evasion techniques evade systems that ensure visibility, resulting in longer threat detection times.
Of the existing execution techniques, 59% are related to native and command script interpreters, while 40% involve Windows Management Instrumentation violations. As a result, malicious users exploit PowerShell, Windows Script Host and Windows shortcut files to execute commands, scripts or binary files.

Nearly 77% of all techniques targeting credentialed access involve the recovery of operating system credentials using well-known utilities. This trend is in line with malicious users’ attempts to rely on valid accounts to avoid attracting the attention of administrators in hybrid deployment environments that combine on-premises hosting and cloud service providers.

Toward defensive evasion tactics

While malicious users have traditionally focused on techniques that target credentialed access, they are now investing in defensive evasion tactics, an evolution that demonstrates their adaptation to improvements in security technologies that prevent them from achieving their goals. When they also use enforcement techniques, malicious users are able to bypass advanced endpoint controls without being detected within enterprise environments. Enterprises need more than just good security software,” concludes Ken Exner, director of products, Elastic. They need to have a program that encompasses shared actionable intelligence, but also best practices and a community focused on security data intelligence so that their customers can also leverage the value of their tool in place…”