Cybercriminals picked up the pace on attacks last year
Threat actors became increasingly efficient last year, rapidly achieving lateral movement and swiftly stealing data at a faster clip than ever before, according to multiple threat intelligence firms.
The reduced time frame is a clear indicator that cybercriminals are constantly improving their ability to be successful. With the abuse of legitimate system tools to help them avoid detection, a heightened concentration on obtaining authorized administrative credentials, and employing automated processes, defenders often remain unaware of malicious activity until it is too late.
Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, reported that in the past year the average breakout time from a lateral movement perspective was 48 minutes. Remarkably, the fastest breakout time recorded was just 51 seconds, as he noted in a recent media briefing. In comparison, the average breakout time for interactive cybercrime intrusions in 2023 was 62 minutes, according to CrowdStrike.
“Not only are these adversaries using different techniques, different capabilities, they’re doing it faster, and they’re iterating faster than many of the enterprises that they’re targeting,” Meyers said.
CrowdStrike’s research on breakout times isn’t unique. ReliaQuest also observed attackers moving at unprecedented speeds, achieving lateral movement after gaining initial access in an average of 48 minutes last year.
The breakout speeds observed by CrowdStrike and ReliaQuest underscore a broader effort by cybercriminals to hit targets quickly, achieve their objectives and ultimately leverage ill-gotten gains for extortion. Some cybercrime groups still tend to move slower but, on average, ransomware attacks have become a race against time — for offenders and defenders alike.
Data exfiltration, one of the primary and most pressing aims of cybercriminals, occurred at the fastest speed on record last year, according to Palo Alto Networks’ threat intelligence firm Unit 42.
“A few years ago, the median time was about nine or 10 days from point of intrusion to exfiltration. Median time in 2024 was about two days,” said Sam Rubin, SVP of consulting and threat intelligence at Unit 42.
While the median measurement of attack tempo from access to exfiltration is distressing, the speedy outliers are even more alarming.
In a quarter of the cases Unit 42 responded to last year, the time from compromise to data theft was less than five hours, three times faster than speeds the firm observed in 2021. In 1 in 5 cases, attackers exfiltrated data from victim environments in less than an hour, according to Unit 42.
RansomHub, a ransomware group Unit 42 tracks as Spoiled Scorpius, accessed a municipal government’s network through a VPN lacking multi-factor authentication last year and exfiltrated 500 GB of data within seven hours.
The speed at which ransomware groups are operating is akin to a bank robbery, Rubin said.
“Maybe someone hit the silent alarm and the cops are coming, and they know they’ve got to get in and get something quickly,” he said.
Cybercriminals are rapidly escalating privileges and using persistence mechanisms to maintain access for extended periods, enabling them to carry out further actions after initially compromising a system.
Muddled Libra, a group more commonly known as Scattered Spider which is also affiliated with “the Com,” social engineered a service provider’s help desk last year to gain access to a contracted IT worker’s privileged access manager account, according to Unit 42. Once the threat group gained access, it retrieved stored credentials and compromised a domain-privileged account within 40 minutes.
In this particular incident, Scattered Spider then broke into a password management vault and created a secondary server for its own multi-factor authentication. This enabled another way for them to keep access and steal more data.
“Then they’re operating in the cloud, they’re operating on the security telemetry tooling. They disabled some logging in the SIEM (security information and event management),” Rubin said.
The technical expertise of ransomware groups vary, but Scattered Spider showcased “IT, DevOps, security operations and sort of business savvy all coming in at once, which candidly does demonstrate that sophistication,” Rubin said.
ReliaQuest drew similar conclusions as other threat intel companies, finding the fastest data exfiltration time last year was 4 hours and 29 minutes.
“The time required for an adversary to progress from initial access to executing data exfiltration is 34% faster than the time needed for encryption,” ReliaQuest said in its annual threat report. “Our data reveals a major shift in ransomware tactics: Of all breaches we observed in 2024, 80% involved data exfiltration, while only 20% included encryption.”
