RESEARCH & RESOURCES

Study Finds Most Businesses Sync On-premises Passwords to Cloud Environments

Silverfort research shows how enterprises are opening their clouds to cyberattacks; Alphv BlackCat and Lockbit ransomware threat actors abuse gaps in identity to steal credentials, escalate privileges, and move through organizations undetected.

Note: TDWI's editors carefully choose vendor-issued press releases about new or interesting research and services. We have edited and/or condensed this release to highlight key study results or service features but make no claims as to the accuracy of the vendor's statements.

Silverfort, a specialist in unified identity protection, has released its Identity Underground report, highlighting the frequency of identity security gaps that lead to successful attacks on organizations across every industry and region. Fueled by Silverfort's proprietary data, the report focuses on identity as an attack vector and offering insights into the identity threat exposures (ITEs) that pave the way for cyberattacks. The data, analysis, and insights help identity and security teams benchmark their security programs, empowering them to make informed decisions on where to invest in identity security.

The standout -- and alarming -- finding is that two out of every three businesses (67%) routinely synchronize most of their users’ passwords from their on-premises directories to their cloud counterparts. This practice inadvertently migrates on-premises identity weaknesses to the cloud, which poses substantial security risks by creating a gateway for attackers to hack these environments from on-prem settings. The Alphv BlackCat ransomware group is known to use Active Directory as a stepping stone to compromise cloud identity providers.

Over the past decade, there has been a rush to migrate to the cloud, and for a good reason. Simultaneously, however, security gaps stemming from legacy infrastructure, misconfigurations, and insecure built-in features create pathways for attackers to access the cloud, significantly weakening a company's resilience to identity threats.

"Identity is the elephant in the room. We know that identity plays a key role in nearly every cyberattack. Lockbit, BlackCat, TA577, Fancy Bear -- they all use identity gaps to break in, move laterally, and gain more permissions," said Hed Kovetz, CEO and co-founder of Silverfort.

"We need to know how common each identity security gap is so we can start methodically fixing them. Finally, we have concrete evidence outlining the frequency of identity gaps, which we can now classify as password exposers, lateral movers, or privilege escalators, and they’re all vehicles for threat actors to complete their attacks. We hope that by shining a light on the prevalence of these issues, identity and security teams will have the hard numbers they need to prioritize adequate security investments and eliminate these blind spots.”

Key findings include:

  • Two-thirds of all user accounts authenticate via the weakly encrypted NTLM protocol, providing attackers easy access to cleartext passwords. Easily cracked with brute-force attacks, NT Lan Manager (NTLM) authentication is a prime target for attackers looking to steal credentials and move deeper into an environment. Recent research from Proofpoint security shows threat actor TA577 using NTLM authentication information to steal passwords.
  • A single misconfiguration in an Active Directory account spawns 109 new shadow admins on average. Shadow admins are user accounts with the power to reset passwords or manipulate accounts in other ways. Attackers use shadow admins to change settings and permissions and gain more access to machines as they move deeper into an environment.
  • 7% of user accounts inadvertently hold admin-level access privileges, giving attackers more opportunities to escalate privileges and move throughout environments undetected.
  • 31% of user accounts are service accounts. Service accounts are used for machine-to-machine communication and have a high level of access and privileges. Attackers target service accounts as security teams often overlook them. Only 20% of companies are highly confident that they have visibility into every service account and can protect them.
  • 13% of user accounts are categorized as "stale accounts," which are effectively dormant user accounts that the IT team may have forgotten. They are easy targets for lateral movement and evading detection by attackers.

Silverfort's research team has meticulously categorized identity threat exposures (ITEs) into four distinct classes. Their goal is to arm the cybersecurity industry with a framework to classify and understand the diverse spectrum of identity issues and misconfigurations that enable credential theft, privilege escalation, and lateral movement by malicious actors.

The four ITE categories are:

  • Password exposers: Enable an attacker to discover users’ passwords by exposing the password hash to common compromise techniques. Examples include NTLM authentication, NTLMv1 authentication, and admins with SPN.
  • Privilege escalators: Allow an attacker to gain additional access privileges. Typically privilege escalators are the result of a misconfiguration or insecure legacy settings. Examples include shadow admins and unconstrained delegation.
  • Lateral movers: Allow an attacker to move laterally undetected. Examples include service accounts and prolific users.
  • Protection dodgers: Potentially open legitimate user accounts up for attackers to use. Protection dodgers stem from human error or mismanaged user accounts; they are not inherently security flaws or misconfigurations. Examples include new users, shared accounts, and stale users.

Visit Identity Underground to access the complete report (short registration required).

TDWI Membership

Get immediate access to training discounts, video library, research, and more.

Find the right level of Membership for you.