IT Brief Asia - Technology news for CIOs & IT decision-makers
Story image

Cybercriminals increasingly exploit trusted apps, says report

Today

The Sophos X-Ops Active Adversary Report for the first half of 2024 reveals a significant increase in cybercriminals exploiting trusted Microsoft applications on Windows networks.

The report highlights a 51% surge in the abuse of trusted applications such as the remote desktop protocol (RDP), a practice termed as abusing living off the land binaries (LOLBins), compared to the previous year, and 83% since 2021.

John Shier, Field CTO at Sophos, stated, "Living-off-the-land not only offers stealth to an attacker's activities but also provides a tacit endorsement of their activities. While abusing some legitimate tools might raise a few defenders' eyebrows, and hopefully some alerts, abusing a Microsoft binary often has the opposite effect."

Shier continued, "Many of these abused Microsoft tools are integral to Windows and have legitimate uses, but it's up to system administrators to understand how they are used in their environments and what constitutes abuse. Without nuanced and contextual awareness of the environment, including continuous vigilance to new and developing events within the network, today's stretched IT teams risk missing key threat activity that often leads to ransomware."

The analysis of nearly 200 incident response cases found that RDP abuse was present in 89% of these incidents, maintaining a trend identified in the 2023 report.

The report also noted that the root cause of attacks remains compromised credentials, responsible for 39% of cases, although this is a decline from 56% noted in 2023. Network breaches were the most common incidents dealt with by the Sophos Managed Detection and Response (MDR) team.

For the Sophos Incident Response (IR) team, the dwell time, which is the duration from the start of an attack to its detection, remained approximately eight days. With MDR involvement, this median dwell time was reduced to one day for all incident types and three days for ransomware attacks.

Another critical finding was related to the vulnerability of Active Directory servers. Attackers most frequently targeted versions 2019, 2016, and 2012, all of which are now out of mainstream Microsoft support and one stage away from end-of-life status, making them challenging to patch without paid support. Notably, 21% of the AD server versions compromised were already end-of-life.

The report also pointed out the impact of governmental actions on ransomware groups. Despite the disruption of LockBit's main leak website and infrastructure in February 2024, LockBit remained the most frequently encountered ransomware group, responsible for approximately 21% of infections in the first half of 2024.

These findings underscore the growing challenges in cybersecurity, notably the increasing sophistication and stealth tactics employed by adversaries exploiting trusted applications within networks to carry out their attacks.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X