Cybersecurity as a service vendor Sophos released The Bite from Inside: The Sophos Active Adversary Report. This research provides an in-depth look at changing behaviors and attack techniques in H1 2024. The data was derived from nearly 200 incident response cases, across the Sophos X-Ops IR team and Sophos X-Ops MDR team.
In general, it found that attackers are leveraging trusted applications and tools on Windows – a technique commonly known “living off the land” binaries – to conduct discovery on systems and maintain persistence. Compared to 2023, Sophos observed a 51 percent increase in this tactic, or 83 percent increase over 2021.
Among the 187 unique Microsoft LOLbins detected in 1H, the most frequently abused trusted application was RDP (89 percent).
“Living-off-the-land not only offers stealth to an attacker’s activities but also provides a tacit endorsement of their activities,” said Sophos field CTO, John Shier. “While abusing some legitimate tools might raise a few defenders’ eyebrows, and hopefully some alerts, abusing a Microsoft binary often has the opposite effect. Many of these abused Microsoft tools are integral to Windows and have legitimate uses, but it’s up to system administrators to understand how they are used in their environments and what constitutes abuse. Without nuanced and contextual awareness of the environment, including continuous vigilance to new and developing events within the network, today’s stretched IT teams risk missing key threat activity that often leads to ransomware.”
The report also found that, despite the government disruption of LockBit’s main leak website and infrastructure in February, LockBit was the most frequently encountered ransomware group, accounting for about 21 percent of infections in 1H24.
Other findings included:
- Compromised credentials are the top cause of attacks, accounting for the root cause in 39 percent of cases. This is, however, a decline from the 56 percent (2023).
- Network breaches were the dominant incident the team encountered.
- Dwell time (time from attack start to detection) remains approximately eight days. With MDR, median dwell time is three days (ransomware) or one day (other incident types).
Attackers most frequently compromised the 2019, 2016, and 2012 server versions of Active Directory (AD), all of which no longer supported by Microsoft.