Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe:

  • A sharp increase in abuse of valid accounts
  • A pivot in the approach of major ransomware groups
  • Our analysis of the timing and shape of the impact of generative AI (gen AI) on cybersecurity

Cybercriminals prefer to take the path of least resistance to meet their objectives, and therefore it is concerning that, for the first time in our research, abusing valid accounts became a preferred means of access into victim environments for cybercriminals. Use of stolen credentials to access valid accounts surged 71% over the previous year and represented 30% of all incidents X-Force responded to in 2023, tied with phishing as the top infection vectors.

Abuse of valid account credentials is top threat

As defenders increase their detection and prevention capabilities, attackers are finding that obtaining valid credentials was an “easier” route to achieving their goals last year. This is not altogether surprising, considering the vast quantity of valid credentials easily accessible on the dark web. Yet this “easy entry” for attackers is hard to detect, requiring a complex response from organizations to distinguish between legitimate and malicious user activity on the network.

Phishing, whether through an attachment, link or as a service, also comprised 30% of all incidents remediated by X-Force in 2023, although the volume of phishing was down by 44% from 2022. The significant drop in observed compromises through phishing is likely a reflection of both continued adoption of phishing mitigation techniques, as well as attackers shifting to the use of valid credentials.

Additionally, X-Force observed a 100% increase in “Kerberoasting” during incident response engagements. Kerberoasting is a technique focused on compromising Microsoft Windows Active Directory credentials through Kerberos tickets. This indicates a technique shift in how attackers are acquiring identities to carry out their operations.

These shifts suggest that threat actors have revalued credentials as a reliable and preferred initial access vector.

Explore the report

Rise in infostealer malware as ransomware groups pivot

The abuse of valid accounts as the top access technique was accompanied by an upsurge in malware, known as infostealers, designed to steal information to acquire credentials. We observed a 266% surge in infostealing malware, as we observed groups that previously specialized in ransomware pivoting to infostealers.

Despite remaining the most common action on objective (20%), X-Force observed an 11.5% drop in enterprise ransomware incidents. This drop is likely a result of larger organizations stopping attacks before ransomware was deployed and opting against paying the ransom in favor of rebuilding if ransomware takes hold. (It’s worth noting that analysis of ransomware extortion sites indicates ransomware activity globally actually increased in 2023. This appears to indicate X-Force clients continued to improve their capabilities to detect and respond to the precursors of a ransomware event.)

Although X-Force observed a drop in ransomware attacks, extortion-based attacks continued to be a driving force of cybercrime this past year, only surpassed by data theft and leak as the most common impact observed in X-Force incidents. For example, X-Force responded to multiple incidents associated with the CL0P ransomware group’s widespread data extortion attacks through the exploitation of the previously unknown vulnerability in MOVEit, a commonly used managed file transfer (MFT) tool.

While zero-day vulnerabilities like this one garner notoriety, the reality is that zero-day vulnerabilities make up a very small percentage of the vulnerability attack surface — just 3% of total vulnerabilities tracked by X-Force. In 2023, there was a 72% drop in the number of zero days compared to 2022, with only 172 new zero-day vulnerabilities. While the total number of zero days dropped, organizations should still emphasize knowing their attack surface and identifying and patching vulnerabilities in their environment to prevent many attacks.

Generative AI attacks have potential, but not a direct threat yet

Last year will go down in history as a gen AI breakout year. Policymakers, business executives and cybersecurity professionals are all feeling the pressure to adopt AI within their operations. And the rush to adopt gen AI is currently outpacing the industry’s ability to understand the security risks these new capabilities will introduce. However, a universal AI attack surface will materialize once adoption of AI reaches a critical mass, forcing organizations to prioritize security defenses that can adapt to AI threats at scale.

To come to this conclusion, X-Force reflected on technological enablers and milestones that fostered cybercriminal activities in the past to predict when we’ll see indicators of AI attack surface maturity. X-Force predicts that this will occur once a single AI technology approaches 50% market share, or when the market consolidates to three or less technologies.

Furthermore, despite signs of interest among cybercriminals in leveraging gen AI in their attacks, X-Force hasn’t observed any concrete evidence of gen AI-engineered cyberattacks to date. Phishing is expected to be one of the first malicious use cases of AI that cybercriminals will invest in, reducing the time to craft convincing messages from multiple days to minutes. But although it’s not unlikely to see AI-enabled attacks reported in the near term, X-Force assesses that proliferated activity won’t be established until the pace of enterprise AI adoption matures.

Fundamentals remain essential for security

The combination of a rise in infostealers and the abuse of valid account credentials to gain initial access has exacerbated defenders’ identity and access management challenges. Cybercriminals’ reinvigorated focus on identities highlights organizations’ risks that exist on devices outside of their visibility, and they need to continue to emphasize good security habits in their workforces. Enterprise credential data can be stolen from compromised devices through credential reuse, browser credential stores or accessing enterprise accounts directly from personal devices.

While “security fundamentals” doesn’t get as many head turns as “AI-engineered attacks,” it remains that enterprises’ biggest security problem boils down to the basic and known — not the novel and unknown. Identity is being used against enterprises time and time again, a problem that will worsen as adversaries invest in AI to optimize the tactic.

Learn more in the X-Force Threat Intelligence Index

The X-Force Threat Intelligence Index offers our unique insights to IBM clients, researchers in the security industry, policymakers, the media and the broader community of security professionals and business leaders.

Discover more in the report about the threat landscape and latest cybersecurity trends:

  • Analysis of the top initial access vectors, top attacker actions on objective and top impacts on organizations
  • Geographic and industry trends
  • Recommendations on how organizations should respond and where to start

Download the report and sign up to attend a webcast for a panel discussion with Kevin Albano, associate partner of IBM X-Force, and Ryan Leszczynski, a supervisory special agent in the FBI Cyber Division. They’ll offer a detailed explanation of the findings and what they mean for organizations defending against these evolving threats.

More from Threat Intelligence

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Threat intelligence to protect vulnerable communities

2 min read - Key members of civil society—including journalists, political activists and human rights advocates—have long been in the cyber crosshairs of well-resourced nation-state threat actors but have scarce resources to protect themselves from cyber threats. On May 14, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a High-Risk Communities Protection (HRCP) report developed through the Joint Cyber Defense Collaborative that addresses the threat to these vulnerable groups, with findings contributed by the X-Force Threat Intelligence team.Cyber criminals seek stolen credentialsThe HRCP…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today