Here is a rewritten version of the content without changing its meaning, retaining the original length, and keeping proper headings and titles:
Sophos, a leading global innovator in delivering cybersecurity as a service, has released a comprehensive report titled “The Bite from Inside: The Sophos Active Adversary Report.” This report provides an in-depth analysis of the evolving behaviors and attack techniques employed by adversaries during the first half of 2024. The data, compiled from nearly 200 incident response (IR) cases from both the Sophos X-Ops IR team and the Sophos X-Ops Managed Detection and Response (MDR) team, reveals that attackers are increasingly exploiting trusted applications and tools on Windows systems, commonly referred to as “living off the land” binaries, to conduct system discovery and maintain persistence. Compared to 2023, Sophos observed a 51% increase in the abuse of “Living off the Land” binaries or LOLbins; since 2021, this increase has been 83%. Among the 187 unique Microsoft LOLbins detected in the first half of the year, the most frequently abused trusted application was remote desktop protocol (RDP). Notably, attackers abused RDP in 89% of the nearly 200 IR cases analyzed. This trend continues a pattern first observed in the 2023 Active Adversary report, where RDP abuse was prevalent in 90% of all IR cases investigated.
The tactic of “living-off-the-land” not only provides attackers with stealth but also lends a sense of legitimacy to their activities. While the abuse of certain legitimate tools might raise suspicions and trigger alerts, the exploitation of Microsoft binaries often has the opposite effect. Many of these abused Microsoft tools are integral to Windows and have legitimate uses, making it crucial for system administrators to understand their usage within their environments and identify what constitutes abuse. Without nuanced and contextual awareness of the environment, including continuous vigilance to new and developing events within the network, today’s stretched IT teams risk overlooking key threat activity that often leads to ransomware,” notes John Shier, field CTO, Sophos.
In addition, the report found that despite the government’s disruption of LockBit’s main leak website and infrastructure in February, LockBit was the most frequently encountered ransomware group, accounting for approximately 21% of infections in the first half of 2024.
Key Findings from the Latest Active Adversary Report:
Root Cause of Attacks: Compromised credentials remain the leading root cause of attacks, accounting for 39% of cases, although this represents a decline from the 56% noted in 2023.
Network Breaches Dominate for MDR: When examining cases solely from the Sophos MDR team, network breaches were the most common incident encountered.
Dwell Times Are Shorter for MDR Teams: For cases from the Sophos IR team, the dwell time (the time from when an attack starts to when it’s detected) has remained approximately eight days. However, with MDR, the median dwell time is just one day for all types of incidents and only three days for ransomware attacks.
The Most Frequently Compromised Active Directory Servers Are Nearing End of Life: Attackers most frequently compromised the 2019, 2016, and 2012 server versions of Active Directory (AD). All three of these versions are now out of mainstream Microsoft support—one step before they become end-of-life (EOL) and impossible to patch without paid support from Microsoft. Furthermore, a full 21% of the AD server versions compromised were already EOL.
Source Link
