Cybercriminals increasingly are using stolen identities to compromise enterprise systems rather than trying to hack into them, a trend that promises to increase in the coming years, according to IBM’s X-Force threat intelligence team.

This push by threat groups to get the necessary information to sign into systems is seen in a number of areas, from the massive amounts of credentials and other personal information available on the dark web to a 266% year-over-year increase in 2023 in malware designed to steal such personal identifiable information as emails, social media and messaging app credentials, banking details, and cryptocurrency wallet data, according to IBM.

Such attacks also are more difficult for defenders to detect, making it longer and more costly for organizations to combat them.

“Attackers have a historical inclination to choose the path of least resistance in pursuit of their objectives,” the authors of the 2024 X-Force Threat Intelligence Index wrote. “In this era, the focus has shifted towards logging in rather than hacking in, highlighting the relative ease of acquiring credentials compared to exploiting vulnerabilities or executing phishing campaigns.”

Overall, X-Force in 2023 saw a 71% increase in the volume of attacks that used valid credentials to gain access into enterprises, with such attacks for the first time tying phishing as the preferred method for initial access. Both accounted for 30% of the top initial access vectors, followed closely by exploiting public-facing applications at 29%.

“It’s clear that attackers have recognized the difficulty defenders have in distinguishing between legitimate identity use and unauthorized misuse,” the report’s authors wrote. “This escalation in targeting of identities in cyberattacks underscores the critical importance for organizations to proactively identify, eliminate and audit potential attack vectors within their dynamic networks.”

Ransomware Down, AI Attacks on the Way

The continuing shift toward identities rather than hacking was one of several highlights of the report. Others included an 11.5% reduction in the number of enterprise ransomware incidents, though cases of data theft and leak rose 32% of all attacks, making it “the most common impact for organizations, indicating more groups are favoring this method to obtain financial gains,” they wrote.

In addition, almost 70% of attacks involved critical infrastructure and the AI technology market needs to mature before it is seen as a significant attack surface and garners more attention from bad actors.

The surge in using valid credentials gives a glimpse into how the cyberthreat world in some ways works in unison.

“This access technique is accompanied by an upsurge in malware designed to steal information, known as infostealer malware, activities that bolster the dark web’s stolen credentials marketplace,” the report’s authors wrote. “This multifaceted shift underscores the symbiotic relationship among various elements in the cybercrime ecosystem.”

They pointed to the FBI takedown last year of Genesis Market, a darknet online marketplace that offered access to 1.5 million compromised computers through more than 80 million stolen account access credentials.

Credential Attacks Burden Security Teams

The burden of credential-driven attacks on enterprises is growing, according to IBM. Major incidents caused by attackers using valid accounts required nearly 200% more complex response measures by security teams than the average incident because defenders need to separate between the activity of legitimate users and attackers on the network. In addition, IBM noted in its 2023 Cost of a Data Breach Report that breaches caused by stolen or compromised credentials needed about 11 months to detect and recover from, a response lifecycle that is longer than any other attack vector.

In the latest report, IBM said that 32% of incidents that X-Force responded to involved the use of legitimate tools by threat actors, including credential theft, reconnaissance, remote access, or data exfiltration.

“While ‘security fundamentals’ doesn’t get as many head turns as ‘AI-engineered attacks,’ it remains that enterprises’ biggest security problem boils down to the basic and known – not the novel and unknown” Charles Henderson, global managing partner of IBM Consulting and head of X-Force, said in a statement. “Identity is being used against enterprises time and time again, a problem that will worsen as adversaries invest in AI to optimize the tactic.”

That trend has been seen by other security pros. Last month, researchers with Laminar Security wrote that double-extortion ransomware groups are increasingly using stolen credentials to get into targeted networks, noting that more than 24 billion username and password combinations are available on cybercriminal marketplaces.

“Gone are the days when adversaries had to sift through hundreds of lines of code to penetrate a network,” they wrote. “Today’s bad actors don’t break in; they log in.”

Ransomware and Extortion

The shift from ransomware to extortion appears to be reflected in IBM’s numbers, which showed a drop in ransomware incidents but an increase in data theft and leaks. Laminar wrote that the number of double-extortion attacks – where the attacker not only encrypts data but also steals it to put more pressure on victims to pay the ransom – in 2023 increased by 120%.

In addition, Delinea in its own report in January found that 64% of security pros surveyed said the motivation behind ransomware attacks shifted from a money grab typical with data encryption campaigns to data extortion.

IBM also noted that some ransomware groups are adding infostealing to their arsenals.

Regarding generative AI, bad actors have yet to see a significant ROI. That ROI – along with a rise in attacks on AI platforms – will come when there is some market dominance, either in the form of a single AI technology approaching 50% market share or when the market consolidates to three or fewer technology. Only then will cybercriminals “be incentivized to invest in developing tools and attack paths targeting AI technologies,” the report said.