{ "id": "c35aec1a-e7d2-48e3-b1f9-fd80a9112aed", "created_at": "2026-04-06T00:14:05.148941Z", "updated_at": "2026-04-10T03:27:59.38621Z", "deleted_at": null, "sha1_hash": "7d562c16fe968e0ba83fa27d24b2c43dab3869c0", "title": "CrowdStrike observes massive spike in identity-based attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 466192, "plain_text": "CrowdStrike observes massive spike in identity-based attacks\r\nBy Alexander Culafi\r\nPublished: 2023-08-08 · Archived: 2026-04-02 12:39:32 UTC\r\nIdentity-based attacks like Kerberoasting saw massive increases over the last 12\r\nmonths as adversary breakout time fell, according to CrowdStrike's 2023 Threat\r\nHunting Report.\r\nBy\r\nAlexander Culafi,\r\nPublished: 08 Aug 2023\r\nLAS VEGAS -- CrowdStrike observed an alarming rise in identity-based intrusions, including a sixfold increase\r\nin Kerberoasting attacks, according to the vendor's 2023 Threat Hunting Report published Tuesday.\r\nThe threat report, which is in its sixth year, is CrowdStrike's annual look at attack and threat actor trends based on\r\nengagements the cybersecurity vendor observed over the previous year. Published at the start of Black Hat USA\r\n2023, the 40-plus page report covers a number of attack styles and adversary tactics seen between July 2022 and\r\nJune 2023, but the clear theme of this year's report was identity-based threat activity.\r\nFor example, 62% of interactive intrusions involved the abuse of active accounts, and the report noted a \"160%\r\nincrease in attempts to gather secret keys and other credential materials via cloud instance metadata APIs.\" In its\r\n2023 Global Threat Report earlier this year, CrowdStrike noted that 80% of all breaches involved compromised\r\nidentities.\r\nAdam Meyers, head of Counter Adversary Operations at CrowdStrike, told TechTarget Editorial that the focus on\r\nidentity from threat actors this year came down in part to improvements in endpoint detection and response\r\nhttps://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks\r\nPage 1 of 5\n\ncapabilities. Defenders have made it more difficult for a threat actor to get into a target environment, and as such,\r\n\"using identity allows [the threat actor] to look more like a legitimate user, avoid detection and have a better\r\nchance at accomplishing their goal,\" he said.\r\n\"When a threat actor's ability to use the tactics they have been using becomes more difficult, rather than work\r\nharder for the same outcome, they reassess and find another way to accomplish the same goal,\" Meyers said. \"And\r\nin this case, using legitimate user credentials that they can either social engineer or get out of a dark forum type of\r\nsituation gets them the access that they want, and then they can live off the land.\"\r\nCrowdStrike also noted a 583% increase in Kerberoasting, an attack technique in which threat actors exploit a\r\nflaw in the open source authentication protocol Kerberos in order to crack or \"roast\" user passwords. Although this\r\nis an extension to the aforementioned spike in identity-based attacks, CrowdStrike noted in its report that 27% of\r\nintrusions involving Kerberoasting came down to a single threat actor, Vice Spider, a ransomware actor active\r\nsince at least April 2021.\r\nThe 2023 Threat Hunting Report also noted that adversary breakout time reached an all-time low, at 79 minutes.\r\nBreakout time is the average amount of time a threat actor needs to move laterally from the initial point of\r\ncompromise to other systems and hosts within the victim environment. Breakout time in the 2022 Threat Hunting\r\nReport was 84 minutes.\r\nCrowdStrike launches Counter Adversary Operations\r\nAlso as part of Black Hat, CrowdStrike launched \"Counter Adversary Operations,\" a new team led by Meyers that\r\nwill bring CrowdStrike's threat intelligence and threat hunting teams under a single banner. The 2023 Threat\r\nHunting Report is the first report under the new team's banner, and the first Counter Adversary Operations product\r\noffering, Identity Threat Hunting, was launched at the Las Vegas conference.\r\nIdentity Threat Hunting launches immediately as part of CrowdStrike Falcon OverWatch Elite at no additional\r\ncost. According to an accompanying press release, the offering \"makes it possible to quickly identify and\r\nremediate compromised credentials, track lateral movement, and outpace adversaries with always-on, 24/7\r\ncoverage.\"\r\n\"The new mandate is to really use the collective capability of the threat hunting and threat intelligence teams,\r\nwhich I don't think anybody is really doing at this point in the industry,\" Meyers explained. \"We are taking those\r\ntwo teams and colocating them, so we are in a better position to have a more disruptive impact against adversaries\r\nand make it harder for them to operate.\"\r\nAlexander Culafi is a writer, journalist and podcaster based in Boston.\r\nNext Steps\r\nCrowdStrike 'Global Threat Report': Cloud intrusions up 75%\r\nDig Deeper on Threat detection and response\r\nhttps://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks\r\nPage 2 of 5\n\nCrowdStrike touts agentic SOC to tackle security woes\r\nBy: Aaron Tan\r\nCrowdStrike: Europe second only to North America for cyber attacks\r\nhttps://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks\r\nPage 3 of 5\n\nBy: Brian McKenna\r\nAgentic AI a target-rich zone for cyber attackers in 2025\r\nBy: Brian McKenna\r\nCrowdStrike: China hacking has reached 'inflection point'\r\nhttps://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks\r\nPage 4 of 5\n\nBy: Alexander Culafi\r\nSource: https://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks\r\nhttps://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks\r\nPage 5 of 5\n\nhttps://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks \nCrowdStrike touts agentic SOC to tackle security woes\nBy: Aaron Tan \nCrowdStrike: Europe second only to North America for cyber attacks\n Page 3 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks" ], "report_names": [ "CrowdStrike-observes-massive-spike-in-identity-based-attacks" ], "threat_actors": [ { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "13d6ff44-024c-4b98-a548-b9b8107ba708", "created_at": "2024-10-04T02:00:04.758036Z", "updated_at": "2026-04-10T02:00:03.713862Z", "deleted_at": null, "main_name": "VICE SPIDER", "aliases": [], "source_name": "MISPGALAXY:VICE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434445, "ts_updated_at": 1775791679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7d562c16fe968e0ba83fa27d24b2c43dab3869c0.pdf", "text": "https://archive.orkl.eu/7d562c16fe968e0ba83fa27d24b2c43dab3869c0.txt", "img": "https://archive.orkl.eu/7d562c16fe968e0ba83fa27d24b2c43dab3869c0.jpg" } }