Cyber attacks leveraging trusted services to conduct malicious activities are becoming the norm, according to new research, as malware takes a backseat among hackers.
CrowdStrike’s 2025 global threat report found a shift towards malware-free attack techniques was one of the defining trends shaping the threat landscape in the past five years.
The report stated that 79% of CrowdStrike's threat detections constituted malware-free malicious activity in 2024, compared to 40% in 2019.
Malware-free attacks are those in which instead of delivering carefully designed malicious software to carry out post-compromise activity, threat actors look to abuse existing tools on the target device.
For example, remote monitoring and management tools such as Ninjane, Datto, or N-able, are often used to move laterally within the target environment, gaining deeper access to the victim’s, and ultimately steal data.
CrowdStrike warned that cloud services are becoming another favorite target to conduct malicious activity on victim machines, noting 2024 saw a 26% rise in unattributed cloud intrusions compared to 2023.
“CrowdStrike observed more intrusions in which attackers gained initial access via valid accounts, leveraged cloud environment management tools for lateral movement, and abused cloud provider command line tools,” the report explained.
“Other cloud-conscious tactics — such as enumerating cloud infrastructure and identities and maintaining persistence via alternate authentication mechanisms — were consistent throughout 2024.”
The report stated that the primary initial access vector for cloud-based attacks is through attackers abusing valid accounts, which accounted for 35% of cloud incidents in the first half of 2024.
For example, attackers look to access credentials to target valid accounts typically through unsecured sources such as the cloud VM Instance Metadata service, IT development services, or secured password storage solutions.
Another popular method of collecting credentials is by abusing trust relationships to gain access to cloud accounts, CrowdStrike noted.
“More adversaries used connections between business partners and their cloud tenants to access environments without needing to obtain credentials in the victim tenant,” it reported.
Moreover, once they do they often do not change the credentials, which would notify the user of suspicious behavior.
Visibility is now paramount for security teams
CrowdStrike said these hands-on-keyboard attacks where the malicious actor actively controls the victim’s system in real-time help attackers avoid detection as they blend in with legitimate user activity.
“Unlike traditional malware, these methods allow attackers to bypass traditional security measures by executing commands and using legitimate software to mimic normal operations,” it warned.
The report concluded that these trends highlight the imperative that businesses continue to modernize their threat detection and response strategies, as traditional frameworks are becoming insufficient in the face of the evolving techniques.
For example, as the growing use of legitimate tools to carry out post-compromise activity makes detection more difficult, organizations need to focus on building out their XDR and SIEM solutions in order to achieve unified visibility across endpoints, networks, cloud environments, and identity systems.
This will give security analysts the best opportunity to correlate suspicious behaviors and unravel the wider attack path, putting them in a better position to react effectively.
MORE FROM ITPRO
