SECURITY NEWS
Abuse of trusted Microsoft applications grows by 51 % YoY finds Sophos
Sophos , a global provider in innovating and delivering cybersecurity as a service , released The Bite from Inside : The Sophos Active Adversary Report , an in-depth look at the changing behaviours and attack techniques that adversaries used in the first half of 2024 .
The data , derived from nearly 200 incident response cases from across both the Sophos X-Ops IR team and Sophos X-Ops Managed Detection and Response team , found that attackers are leveraging trusted applications and tools on Windows systems , commonly called living off the land binaries , to conduct discovery on systems and maintain persistence .
When compared to 2023 , Sophos saw a 51 % increase in abusing Living off the Land binaries or LOLbins ; since 2021 , it has increased by 83 %.
Among the 187 unique Microsoft LOLbins detected in the first half of the year , the most frequently abused trusted application was remote desktop protocol , RDP . Of the 200 IR cases analysed , attackers abused RDP in 89 % of them . This dominance continues a trend first observed in the 2023 Active Adversary report in which RDP abuse was prevalent in 90 % of all IR cases investigated .
“ Many of these abused Microsoft tools are integral to Windows and have legitimate uses , but it is up to system administrators to understand how they are used in their environments and what constitutes abuse . Without nuanced and contextual awareness of the environment , including continuous vigilance to new and developing events within the network , today ’ s stretched IT teams risk missing key threat activity that often leads to ransomware ,” says John Shier , Field CTO , Sophos .
In addition , the report found that , despite the government disruption of LockBit ’ s main leak website and infrastructure in February , LockBit was the most frequently encountered ransomware group , accounting for approximately 21 % of infections in the first half of 2024 .
Other key findings from the latest Active Adversary Report :
Root cause of attacks
Continuing a trend first noted in the Active Adversary Report for Technology Leaders , compromised credentials are still the number one root cause of attacks , accounting for the root cause in 39 % of cases . This is , however , a decline from the 56 % noted in 2023 .
Among the 187 unique Microsoft LOLbins , the most frequently abused trusted application was remote desktop protocol .
John Shier , Field CTO , Sophos
Network breaches dominate for MDR
When examining solely the cases from the Sophos MDR team , network breaches were the dominant incident the team encountered .
Dwell times are shorter for MDR teams
For cases from the Sophos IR team , dwell time , the time from when an attack starts to when it is detected has remained approximately eight days . However , with MDR , the median dwell time is just one day for all types of incidents and only three days for ransomware attacks .
Frequently compromised Active Directory Servers
Attackers most frequently compromised the 2019 , 2016 , and 2012 server versions of Active Directory , AD . All three of these versions are now out of mainstream Microsoft support , one step before they become end-of-life , EOL and impossible to patch without paid support from Microsoft . In addition , a full 21 % of the AD server versions compromised were already EOL . •
INTELLIGENT TECH CHANNELS 13