A wave of Kerberoasting attacks is stirring up cyber security concerns.

In the last 12 months, cyber security researchers have observed a 583% surge in this attack type — a worrying trend, especially since the attacks can be deployed in tandem with ransomware, leading to devastating consequences for targeted organizations.

Among cyber criminals, the appeal of Kerberoasting attacks lies in their potential to deliver comprehensive access to an organization’s entire IT infrastructure.

What is Kerberoasting?

Kerberoasting is a privilege escalation attack. At its core, Kerberoasting exploits vulnerabilities in the Kerberos authentication protocols utilized by Windows devices to gain access to IT environments; based on service principle names (SPNs).

Developed at MIT in the 1980s, the Kerberos authentication protocol aimed to facilitate secure identity verification without transmitting plaintext passwords over a network. Over time, the protocol became the default authentication mechanism for operating systems.

Kerberoasting origins

This attack vector isn’t new (it’s been extant since 2014). The first known Kerberoasting attacks focused on government agencies and financial institutions. Eventually, this attack type declined in popularity among hackers.

However, recent observations indicate a resurgence, driven by weaknesses inherent in the complexity of modern computing infrastructure. Most recently, state-backed cyber criminals leveraged Kerberoasting in a series of supply chain attacks.

Kerberoasting has also been observed in connection with other attack types, like ransomware and data exfiltration.

The ”Vice Spider” crime group

One cyber crime crew in particular has made extensive use of the technique. Known as “Vice Spider,” these hackers are thought to be accountable for nearly 30% of all observed Kerberoasting-related network intrusions.

How Kerberoasting attacks work

Typically, cyber criminals who deploy Kerberoasting attacks aim to gain control of a network’s service accounts by interacting with a domain controller’s ticket-granting server service. They use an authenticated account and then request service tickets associated with SPNs connected to vulnerable accounts.

The service tickets contain encrypted data. Offline, the attackers subsequently break through the encryption to reveal plain-text passwords, providing them with unfettered access to critical systems.

Why Kerberoasting attacks work

Among cyber criminals, Kerberoasting attacks are lauded for their stealth. These attacks operate without generating any noticeable alerts or conspicuous activities within the network.

Cyber criminals launching Kerberoasting attacks are also starting to incorporate automation within attack techniques. As a result, Kerberoasting attacks can be challenging to detect and tough to mitigate.

Kerberoasting attack prevention tips

To counter the growing risk posed by Kerberoasting attacks, a multi-layered cyber security strategy is a must.

  • Strengthening password policies for both service and user accounts is crucial, as weak passwords often facilitate the success of these attacks.
  • Cyber security professionals also need to recognize Kerberoasting attack indicators, such as unusual service ticket requests, failed login or unauthorized access attempts and unusual network traffic patterns.
  • Further, organizations can enhance their security by adopting encryption for network traffic, helping to thwart attackers who try to intercept and expose sensitive information.

For more insights into safeguarding your digital assets and maintaining cyber resilience, please check out this Cyber Talk sponsored eBook and see CyberTalk.org’s past coverage. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.