Arguably a bit more controllable is the challenge of delayed patching. ConnectWise’s findings suggest that organizations often struggle to keep up with patches and updates for edge systems, leaving them vulnerable to known exploits. Also somewhat controllable are the weak or reused credentials on exposed services such as RDP and SSH that remain a major risk, with the lack of basic multifactor authorization (MFA) compounding that risk, explained the report. EDR Emergencies Even when it seems as if proper measures have been taken, MSPs and their customers must remain more diligent than ever on the edge. Say, for example, an endpoint detection and response (EDR) solution is in place, providing network administrators with some level of confidence. “As attackers increasingly targeted edge devices to breach networks, their post-compromise activities often revealed a focus on disabling or evading detection tools such as EDR solutions,” warned the MSP Threat Report. In 2024, the ConnectWise research unit observed a surge in the use of sophisticated EDR evasion techniques and purpose-built “EDR-killer” tools designed to undermine endpoint defenses. “These tools were pivotal in enabling attackers to maintain persistence, escalate privileges and move laterally undetected,” said the researchers. The focus on EDR evasion stems from an increasing reliance of organizations on these tools for protection, said Connect Wise researchers. Threat actors have recognized that neutralizing EDR systems not only facilitates initial access but also ensures the persistence and stealth necessary for long-term campaigns. Early EDR tools, ConnectWise researchers explained, lacked the more robust defenses and anti-tampering mechanisms we often see today, allowing adversaries to primarily rely on a few straightforward techniques to evade these early EDR agents. But as EDR vendors recognized these weaknesses and began hardening their solutions with kernel-level monitoring, improved behavioral analysis and stricter anti-tamper controls, threat actors pivoted to leveraging “bring your own vulnerable driver” (BYOVD) and other kernel exploits that allowed them to neutralize EDR at a deeper level. A particularly alarming trend, noted the research report, is the growing prevalence of tools and techniques specifically designed to disable or manipulate EDR solutions. These EDR killers aim to neutralize defensive mechanisms before executing their payloads, with methods ranging from tampering with EDR configurations to exploiting vulnerabilities within the solutions themselves. One emerging tactic involves exploiting kernel-level vulnerabilities, said ConnectWise researchers. Because EDR solutions often operate at the kernel level to gain deep visibility into endpoint activities, any vulnerabilities in this layer present significant risks. “Once compromised, attackers can effectively blind the EDR system, ensuring that their activities go undetected,” said the MSP Threat Report. “Additionally, many EDR killers employ reflective loading to inject malicious code into processes without creating new files or altering existing ones, making their activities even more challenging to detect.” Of course, in the never-ending game of cat-and-mouse, EDR vendors continually enhance their products to counteract the latest evasion techniques. But it’s also always crucial for MSPs to ensure timely patching of edge appliance operating systems, ConnectWise researchers warned. “The threats outlined above emphasize the critical importance of proactive patch management and robust security monitoring in MSP environments,” they continued. “As threat actors continue to develop more sophisticated techniques and target high-impact platforms and devices, MSPs must be diligent and comprehensive in their defense strategies to mitigate risks effectively.” o Attacks against edge device vulnerabilities over time Source: ConnectWise 1/15/24 2/15/24 3/15/24 4/15/24 5/15/24 6/15/24 7/15/24 8/15/24 9/15/24 10/15/24 11/15/24 12/15/24 8000 7000 6000 5000 4000 3000 2000 1000 0 Alerts Fired Timestamp Per Week 30 CHANNELVISION | MARCH - APRIL 2025
RkJQdWJsaXNoZXIy NTg4Njc=