Malicious logins from suspicious infrastructure fuel identity-based incidents

69% of identity-based incidents involved malicious logins from suspicious infrastructure, which are hosting providers or proxies that aren’t expected for a user or organization, according to Expel.

Identity-based incidents accounted for 64% of all incidents investigated by the Expel SOC, a volume increase of 144% from 2022 to 2023.

Phishing-as-a-service drives identity-based incidents

The increased volume of identity incidents directly results from more phishing platforms becoming available on the dark market. “Phishing-as-a-service (PhaaS)” platforms allow a buyer to quickly deploy convincing credential harvesters for a phishing campaign.

Several of these harvesters can pre-fill the intended victim’s email address and load the appropriate branding and background for the target organization’s login page, making them look convincingly like the expected login page.

“While data drives the trends detailed in this report, it is the intuition that human teams bring to the fight that makes this resource so valuable,” said Daniel Clayton, VP, Security Operations at Expel. “We know that our analysts, empowered by the right technology and effective processes, bring a level of expertise to the table that allow them to protect diverse and varied customers. We hope the intel in this report helps other operators, as collaborative information sharing is the best weapon we have to improve security operations and topple our common adversaries.”

The Expel SOC noted a 72% increase in cloud infrastructure incidents. 2 in 5 incidents were caused by exposed credentials allowing attackers to maintain access to the environment. 96% of those incidents occurred in AWS, and the remaining 4% were split evenly between Google Cloud Platform (GCP) and Microsoft Azure. With ongoing cloud adoption, cloud misconfigurations are used to gain access to environments.

A common misconfiguration of Amazon Cognito (AWS Cognito) allows attackers to gain direct access, such as creating new accounts with excessive permissions.

The rise of QR code phishing

Attackers are turning to script-based files for pre-ransomware initial access, including JavaScript (39%), EXE (20%), and LNK (12%), amongst others. Pre-ransomware accounted for 57% of the malware incidents investigated. The most frequent malware cases that we classified as pre-ransomware—Gootloader (17%), Qakbot (12%), and SocGholish (11%)—were also the top pre-ransomware threats we reported on in both 2021 and 2022. The skilled actors behind these threats have been active for a while, and they aren’t slowing down.

Expel analysts noted a rise in the abuse of QR codes for phishing in 2023. With a URL, a user can visit the malicious domain using the org’s endpoint, allowing operators to block connections using multiple technologies. However, with a QR code, the activity moves off the workstation and onto the user’s mobile device—making this an attractive technique for attackers.

“Expel’s operators face off against some of the most sophisticated cyber threats across industries, granting them front-line visibility into how these attacks and attackers constantly shift and evolve,” said Dave Merkel, CEO at Expel. “It’s our responsibility to share the knowledge gleaned from our analysts’ daily experiences with the larger security community as we fight the good fight, together.”