Silverfort Research Finds Two-Thirds of Businesses Sync On-prem Passwords to Cloud Environments, Opening their Cloud to Cyberattack

Home » News and press » Silverfort Research Finds Two-Thirds of Businesses Sync On-prem Passwords to Cloud Environments, Opening their Cloud to Cyberattack

Company Unveils its Proprietary Identity Underground Report 2024; First Identity Report 100% Dedicated to Exposing Frequency & Prevalence of Identity Threat Exposures (ITEs)

Alphv BlackCat and Lockbit ransomware threat actors abuse gaps in identity to steal credentials, escalate privileges, and move through organizations undetected

Tel Aviv, Israel & Boston, MA, March 26, 2024 – Today, Silverfort, the Unified Identity Protection Company, unveiled its Identity Underground Report, highlighting the frequency of identity security gaps that lead to successful attacks on organizations across every industry and region. Fueled by Silverfort’s proprietary data, the report is the first of its kind, focusing on identity as an attack vector and offering insights into the Identity Threat Exposures (ITEs) that pave the way for cyberattacks. The data, analysis, and insights help identity and security teams benchmark their security programs, empowering them to make informed decisions on where to invest in identity security

The standout – and alarming – finding is that two out of every three businesses (67%) routinely synchronize most of their users’ passwords from their on-premises directories to their cloud counterparts. This practice inadvertently migrates on-prem identity weaknesses to the cloud, which poses substantial security risks by creating a gateway for attackers to hack these environments from on-prem settings. The Alphv BlackCat ransomware group is known to use Active Directory as a stepping stone to compromise cloud identity providers.

Over the past decade, there has been a rush to migrate to the cloud – and for a good reason. Simultaneously, however, security gaps stemming from legacy infrastructure, misconfigurations, and insecure built-in features create pathways for attackers to access the cloud, significantly weakening a company’s resilience to identity threats.

“Identity is the elephant in the room. We know that identity plays a key role in nearly every cyberattack. Lockbit, BlackCat, TA577, Fancy Bear – they all use identity gaps to break in, move laterally, and gain more permissions,” said Hed Kovetz, CEO and Co-founder of Silverfort. “But we need to know how common each identity security gap is so we can start methodically fixing them. Finally, we have concrete evidence outlining the frequency of identity gaps, which we can now classify as Password Exposers, Lateral Movers, or Privilege Escalators, and they’re all vehicles for threat actors to complete their attacks. We hope that by shining a light on the prevalence of these issues, identity and security teams will have the hard numbers they need to prioritize adequate security investments and eliminate these blind spots.”

Key findings include:

  • Two-thirds of all user accounts authenticate via the weakly encrypted NTLM protocol, providing attackers easy access to cleartext passwords. Easily cracked with brute-force attacks, NT Lan Manager (NTLM) authentication is a prime target for attackers looking to steal credentials and move deeper into an environment. Recent research from Proofpoint security shows threat actor TA577 using NTLM authentication information to steal passwords.
  • A single misconfiguration in an Active Directory account spawns 109 new shadow admins on average. Shadow admins are user accounts with the power to reset passwords or manipulate accounts in other ways. Attackers use shadow admins to change settings and permissions and gain more access to machines as they move deeper into an environment. 
  • 7% of user accounts inadvertently hold admin-level access privileges, giving attackers more opportunities to escalate privileges and move throughout environments undetected.
  • 31% of user accounts are service accounts. Service accounts are used for machine-to-machine communication and have a high level of access and privileges. Attackers target service accounts as security teams often overlook them. Only 20% of companies are highly confident that they have visibility into every service account and can protect them.
  • 13% of user accounts are categorized as “stale accounts,” which are effectively dormant user accounts that the IT team may have forgotten. They are easy targets for lateral movement and evading detection by attackers.

Silverfort’s research team has meticulously categorized Identity Threat Exposures (ITE) into four distinct classes. Their goal is to arm the cybersecurity industry with a framework to classify and understand the diverse spectrum of identity issues and misconfigurations that enable credential theft, privilege escalation, and lateral movement by malicious actors.

The four ITE categories

  • Password Exposers: Enable an attacker to discover users’ passwords by exposing the password hash to common compromise techniques. Examples include NTLM authentication, NTLMv1 authentication, and admins with SPN.
  • Privilege Escalators: Allow an attacker to gain additional access privileges. Typically Privilege Escalators are the result of a misconfiguration or insecure legacy settings. Examples include shadow admins and unconstrained delegation.
  • Lateral Movers: Allow an attacker to move laterally undetected. Examples include service accounts and prolific users.
  • Protection Dodgers: Potentially open legitimate user accounts up for attackers to use. Protection Dodgers stem from human error or mismanaged user accounts; they are not inherently security flaws or misconfigurations. Examples include new users, shared accounts, and stale users.

Join Silverfort’s identity threat experts on April 9th in partnership with Hacker News for a deep dive into the report findings. Visit Identity Underground to access the complete report.

About Silverfort

Silverfort, the Unified Identity Protection company, pioneered the first and only platform that enables modern identity security everywhere. We connect the silos of enterprise identity infrastructure to unify identity security across all on-prem and the cloud environments. Our unique architecture and vendor agnostic approach, takes away the complexity of securing every identity, and extends protection to resources that cannot be protected by any other solution, such as legacy systems, command-line interfaces, service accounts (non-human identities), IT/OT infrastructure, amongst others. Silverfort is a top-tier Microsoft partner and was selected as Microsoft’s Zero Trust Champion of the Year. Hundreds of the world’s leading enterprises trust Silverfort to be their identity security provider, including multiple Fortune 50 companies. Learn more by visiting or on LinkedIn.

Stop Identity Threats Now