The past year, 2024, has been marked by turmoil on multiple fronts, with no shortage of significant events and challenges.
For our 2024 Energetic Adversary Report, we will focus on patterns and developments that emerged during the first half of the year (1H24). As the year drew to a close, the frontline of defense against threats targeting small- and medium-sized enterprises showed no signs of letup, with relentless battles ongoing between adversaries and those fighting to protect them. Amidst this unyielding struggle, however, there were flashes of extraordinary resilience that stood out from the norm.
- The abuse of built-in Microsoft providers (LOLBins) has increased – attackers are getting creative.
- Rampant RDP Abuse Continues, With a New Twist
- As the digital landscape continues to evolve, so too do the nefarious forces that seek to exploit its vulnerabilities. In the world of ransomware, two distinct factions have emerged: the Banyans and the Poplars.
While both groups share a common goal – to extort valuable data from unsuspecting victims – their approaches differ significantly. The Banyans are notorious for their cunning tactics, often disguising themselves as legitimate entities before unleashing chaos on their targets’ systems.
The data presented in this report is based on incidents handled during the first half of 2024 by both our external-facing Incident Response (IR) team and our dedicated MDR client response crew, highlighting vital instances encountered within our managed detection and response ecosystem. The applicable location, we scrutinize findings from the 190 cases selected for this report, incorporating insights garnered from earlier Sophos X-Ops investigations, dating back to the inception of our Incident Response service in 2020.
The majority (80%) of the dataset originated from entities with a workforce of less than 1,000 employees. The accuracy rate fell short of the expected 88% in our final report, mainly due to the inclusion of MDR’s cases in the amalgamation. Approximately four out of every ten organizations seeking assistance comprise fewer than 250 employees.
What role do these non-profit entities play in shaping community development and addressing societal needs? As has been customary since we began issuing these reports in 2021, manufacturing remains the most likely sector to request Sophos X-Ops response providers; however, its share of total shoppers has declined significantly, from 25% in 2023 to 14% during the first half of 2024. The top five sectors are comprised of Building (10%), Training (8%), Information Knowledge (8%), and Healthcare (7%). The entire dataset comprises 29 distinct business sectors, each with its unique characteristics and attributes. The methodology supporting the selection of instances featured in this report is detailed in the Appendix, along with any supplementary notes that provide further context.
The report’s stability is reinforced through an analysis of its key findings, as previously outlined in the “Important Takeaways” section, while also providing updates on various points initially addressed in earlier iterations of this report. The comprehensive evaluation of the entire 2024 dataset is expected to take place in a future iteration of the report, planned for early 2025.
Legitimate binaries, also known as LOLbins, are pre-existing software components that can be leveraged by attackers, often exploiting their intended functionality for malicious purposes. We identify and categorize these unauthorized installations as “artifacts,” which are malicious third-party packages surreptitiously introduced to the system by attackers, such as mimikatz, Cobalt Strike, or AnyDesk. Lobbin’s aren’t typically used as they’re easily detectable; however, authentic information is often signed, making them more challenging to identify when employed in seemingly innocuous contexts that are unlikely to raise the attention of a system administrator.
Over the past year, we’ve observed a moderate increase in the use and quantity of artifacts, which we will examine further in this report. Despite this, the surge in LOLbins is truly arresting.
This report primarily focuses on binaries within the Microsoft Windows operating system, although we also identify abuse in other OSes. During the first half of 2024, we detected 187 unique Microsoft LOLbins across our 190 instances – with 64 occurring only once in our dataset. Compared to LOLbin numbers in 2023, this marks a significant surge of 51%. As evident from Figure 1, a distinct uptrend in LOLbin counts has been observed since 2021.
Three years ago, our 2021 statistics revealed a notable disparity between artifacts and LOLbins in our dataset, with artifacts occurring more than twice as frequently. The ratio is now closer to being five to four, as demonstrated in Figure 2.
Which LOLbins are attackers utilizing? The remote desktop protocol (RDP) remains the standard method of connecting to remote servers and accessing resources throughout our discussion. The discovery revealed 29 distinctive LOLbins utilized in at least 10% of cases, with details showcased in Figure 3. Compared to the past year’s distribution, this marks a substantial improvement, as only 15 out of 124 unique LOLbins were observed appearing in more than 10% of cases.
The majority of the names in the list above are no surprise to common readers familiar with the Energetic Adversary Report – RDP guidelines, as cmd.exe, PowerShell, and internet.exe consistently demonstrate their tried-and-true capabilities? Notwithstanding our initial reservations, it is evident that several familiar LOLbins have seen increased adoption, as illustrated in Figure 4, where a significant surge in usage is also observed across more than 10% of instances in the first half of 2024. The prevalence of binary files employed in discovery and enumeration processes is estimated to be 16, according to our reliable sources.
What’s a defender to do? This variation in tooling suggests that merely controlling your community for unwanted devices is insufficient.
The LOLbins are integral components of the overall system, encompassing tools like RDP as well as one-off executables such as fondue.exe and time.exe. It’s more crucial now than ever that you’re aware of the people in your community and their specific requirements. When IT experts Alice and Bob troubleshoot issues using PowerShell, the outcome is likely to be positive. What specific PowerShell commands and scenarios is Mallory having trouble with in PR? Are they experiencing errors or unexpected outputs when executing certain scripts? Can you provide more context about the specific issue she’s facing, such as trying to automate a task or querying data from a database?
Effective logging and community monitoring, informed by data-driven insights, are crucial components. As we assessed the growth, we wondered if the uptick was simply a natural consequence of integrating insights from our Medical Data Repository team. Upon normalizing the information, it became evident that individuals with MDR-type eyes exhibited significant differences in both initial entries and subsequent influences compared to those without such eyes. (Extra on these in a minute.)
To study extra about LOLbins, together with features of particular person binaries and the place they (normally) match into the MITRE ATT&CK framework, we suggest visiting the collaborative challenge on Github.
Is this the sound of silence? For a report that’s got rhythm and flair, Energetic Adversary’s digital dud is a misfire: “RDP” sounds flat, lacking the beat. According to the statistics presented, Remote Desktop Protocol (RDP) has consistently demonstrated its vulnerability as a source of cybersecurity concerns, with an astonishingly high incidence rate: nearly 89% of cases observed in the first half of 2024 exhibited signs of RDP exploitation.
While focusing intensely on instances related to RDP, little variation exists in whether attacks employed RDP internally or externally. The data has remained consistent over time, as evident from Figure 5.
The report’s time frame notwithstanding, the tedium of RDP abuse statistics was only marginally disrupted in September by Microsoft’s announcement that it is developing a multi-platform “Windows App” designed to provide remote access to Windows 10 and 11 machines from “work or school accounts,” with RDP functionality promised later. Despite claims of bolstered security and multi-factor authentication features, many analysts quickly dismissed Windows App as little more than a rebranded version of Remote Desktop. Regardless of the outcome of our next Energetic Adversary Report, only time will ultimately tell whether there has been a decrease in RDP abuse or not.
While examining ransomware trends, we noticed a striking observation: The correlation between high-profile ransomware takedowns and reduced occurrences on our charts is not always as strong as expected.
Some years experience a single dominant ransomware variant that casts a long shadow, much like a sprawling banyan tree, while others exhibit a more even distribution across multiple families, reminiscent of a stand of tall poplar trees. The distinction typically aligns with sanctioned takedowns of prominent ransomware groups. Despite our data, the first half of 2024 did not resemble this example. LockBit emerged as the primary ransomware threat in 2023 before being targeted by law enforcement in a major operation in late February 2024. Throughout the initial six-month period, LockBit consistently emerged as the most prevalent ransomware observed by the incident response team.
While a successful takedown may momentarily disrupt the activities of a specific ransomware group, it ultimately fails to significantly impact the broader landscape of these malicious actors, merely displacing them rather than eradicating their underlying infrastructure and methodologies. As primary motions are put to a vote, the competitive landscape among various manufacturers becomes increasingly congested, effectively filling the room with anticipation? Following its relatively minor presence in 2020, accounting for only 6% of reported infections, Conti’s significance was eclipsed when Ryuk (2020) and Revil (2021), two prominent strains, were struck by takedowns targeting the gangs themselves or, in Ryuk’s case, the Trickbot distribution system on which it relied. After Conti, possibly Ryuk’s variant, gained traction in 2021 and maintained a significant presence for approximately 12 months, its prevalence gradually declined, falling below single digits by the end of 2022. The proprietor of LockBit’s AI-powered model attempted a resurgence in mid-2024 by revamping its infrastructure and relaunching its blog to revive its online presence. A notorious model of LockBit’s ransomware builder was publicly released by a disgruntled affiliate in September 2022, potentially amplifying its impact and prevalence.
What’s subsequent? It’s plausible that the sample may self-resolve by the end of the year, transforming from a “banyan” to a “poplar” as forecasted. Following the takedown of LockBit, Sophos’ MDR and IR teams, along with survey respondents and industry observers, noticed a significant decline in LockBit-related infections within a few months. Boulders of protest still lingered in May, a phenomenon often observed following a crackdown by law enforcement, but ultimately this echo dissipates.
The identity of the pervasive ransomware may be hidden within the data above, suggesting that even if system administrators are hesitant to pinpoint a specific strain, the perpetrator is likely already on their radar. Can begin by compiling detailed records about each of the identified individuals. While some may trivialize the consequences faced by others, the music is far from over.
Ransomware attacks remained subdued in the first half of the year. In the realm of Incident Response (IR), a staggering 61.54% of cases revolved around the scourge of ransomware, a trend that contrasts sharply with the 70.13% figure reported for the previous year. The gap between reported and actual incidents of community breaches had significantly widened, resulting in a staggering 115.5% increase in the first half of 2024 compared to the same period in 2023, with instances reaching 34.62% from 18.83%. A thorough examination of all available data leads us to believe that the decline, while real, may not be as significant when the full year’s statistics are reviewed.
Meanwhile, MDR predominantly addressed community breaches during 1H24, with a mere 25.36% of cases attributed to ransomware attacks. As it is well-known, MDR’s early detection capabilities enable them to identify ransomware infections at a much earlier stage than IR teams typically do, often before encryption or deployment, thereby precluding the need for a response akin to that outlined in an Energetic Adversary Report. (Sadly, “assault detected” for IR teams typically signifies that a shopper has been extorted after receiving a ransom note and all their systems have been rendered inoperable.) By the end of June, LockBit’s prevalence was already declining for MDR teams, accounting for 17.14% of ransomware attributions, with Akira and BlackSuit close behind at 11.43% each. And as the final piece falls into place, it becomes clear that both Akira and BlackSuit are direct lineal descendants of the esteemed Conti family lineage. Similar music, subsequent verse.)
The third and fourteenth steps consistently pique readers’ interest, as we’ve documented in an earlier report detailing the differences our IR and MDR processes revealed when tackling similar issues. We will concentrate our MITRE-related assessment on the two core classes: Preliminary Entry and Impression, examining their underlying structures and relationships.
By early 2024, a significant surge in occurrences emerged, mirroring patterns seen in previous years. According to RDP statistics, distant exterior providers’ attack tactics maintained their stronghold, accounting for a notable 63.16% of cases, a slight decrease from 2023’s 64.94%. Legitimate accounts accounted for 59.47% of reported breaches, a decline from 61.04%. Meanwhile, exploitation of public-facing software rose to 30%, up from 16.88%, making up two-thirds of the top three most common causes. As instances may employ diverse combinations of initial-access tactics, the cumulative probability will never reach a total of 100 percent.
The scenario is particularly captivating with its reference to the esteemed MITRE matrix, home to the coveted “ultimate class”. After years of dominance in the Impression class, Information Encrypted for Impression – a common factor in ransomware attacks – falls to second place, comprising 31.58% of instances, narrowly outpacing Information Manipulation’s 30%, while No Impression claims the top spot with 38.95%.
We’ve got written previously about “No Impression” which means one thing a bit completely different on the subject of ATT&CK. The most recent version of ATT&CK lists fourteen strategies that it acknowledges as “Impression.” These strategies are evolving to maintain tempo with present realities of ransomware payouts and misplaced productiveness, and we’ve refined our evaluation of earlier case information to mirror these enhancements (thus retroactively trimming down the variety of instances for which the influence discovering is No). However it might be an excessive amount of to ask that the ATT&CK class embody intangibles reminiscent of reputational loss or . Incident responders are all too conscious that no one to want their providers; although “no” influence sounds refreshing and nice, and although most of the MDR-handled instances had been certainly triggered in time to dam would-be attackers from succeeding of their targets, “No Impression” doesn’t imply there was no influence – it implies that no matter occurred is past ATT&CK’s vocabulary to explain.
To conserve brevity in this report’s concise format, we will address a few outstanding issues from earlier that warrant brief mention before presenting our comprehensive full-year 2024 report.
As we’ve consistently observed, dwell-time metrics have continued to decline. According to the 1H24 metrics, the downward trend appears to have plateaued and, in certain cases, is starting to show signs of reversal, as reflected in the performance of our Incident Response team’s handled instances. For ransomware attacks, the median dwell time remains at a concerning 5.5 days, while considering all types of cyber incidents, this figure increases to a median dwell period of approximately eight days. Despite lacking earlier years’ MDR instances available for the reporting team’s assessment, an examination of their 1H24 data shows just how crucial real-time monitoring is – median response times of just three days for ransomware and one day for all types of incidents. Since the vast majority of MDR cases don’t necessitate incident response, the value of establishing vigilant monitoring lies largely unseen and unexplored?
We examined the window of opportunity for attackers to claim control over an organization’s Active Directory (AD) – the point at which it can be said with moderate certainty that the system is compromised – as well as the time lag between initial AD takeover and successful detection of the attack. While MDR’s data deviates significantly from the figures tabulated by IR in another key regard, The median time to achieve Energetic Listing in the first half of 2024 increased by approximately one hour compared to previous years, with attackers now requiring around two hours longer to achieve this milestone (15.35 hours in 2023 versus 17.21 hours in 1H24). A notable decrease in dwell time between AD acquisition and assault detection – 29.12 hours in 1H24, down from 48.43 hours in 2023 – is likely to garner significant attention and warrant further investigation in the subsequent report, pending a more substantial accumulation of data that confirms this improvement.
Our analysis reveals that the majority of observed Energetic Listing compromises involved three primary server variations: Windows Server 2019 (accounting for 43% of instances), followed by Windows Server 2016 (26%) and Windows Server 2012 (18%). Together, these three variants accounted for a staggering 87% of all compromised Active Directory servers. Despite the Patch Tuesday announcement clarifying which updates are applicable to each device model, When operating programs on exhausted server variants, consider replacing them with the corresponding woken-up names. As of this month, we’re introducing a new level of transparency for those who closely follow our updates: detailed information on the specific server variants impacted by each monthly patch.
According to our findings, compromised credentials have emerged as a primary motivator for cyber attacks in recent times. By 2023, a staggering 56% of all security breaches were triggered by compromised credentials, highlighting the persistent threat posed by weak or stolen login information. By mid-2024, their preeminence had been reasserted with considerable force. Despite being the primary cause of compromised credentials in 2024, the majority of incidents were actually triggered by Insider Risks (IR), as depicted in Figure 7. Exploited vulnerabilities dominated the root-cause leaderboard for MDR clients, despite a relatively minor impact of less than 1%.
Discoveries in the first half of 2024 reveal a surge in third-party artifacts alongside LOLbins, further underscoring the complexity and evolving nature of modern malware threats. The surge in artifact-based attacks, while less prominent than the proliferation of LOBstalled malware, still warrants careful examination of several key factors.
The latest statistics reveal a marginal increase in the numbers, albeit a promising sign nonetheless. Notably, we identified 230 distinct artifacts across focused programs during the first half of 2024, representing a 12% increase over the 205 artifacts discovered throughout the entirety of 2023. In a direct comparison, 2022 saw a total of 204 artifacts, whereas 2021 witnessed 207.
The names of the most commonly found artifacts remain relatively consistent year-to-year, as illustrated in Figure 8. Cobalt Strike’s decline in usage, which began in 2023, persists, with a mere 13.68% occurrence in malware attacks during the first half of this year. In its early years, Cobalt Strike dominated nearly 50% of all cases, solidifying its position as the leading provider of artifact discoveries to date. Higher defender detection rates for Cobalt Strike may result from this decline.) In Q1 2024, only 127 singular, one-hour artifacts were detected, a decrease from the 102 unique findings reported in 2023.
A defender might be overwhelmed by the prospect of responding to every potential attack, given that most artifacts have a limited utility, potentially leaving them vulnerable to unpredictable onslaughts. As the Artifacts galaxy’s luminaries continue to sparkle, we invite the defender to glance upwards at the desk above, keeping in mind that the underlying foundation may shift; yet, even as the supporting structure evolves, the “stars” remain steady in their celestial harmony. Above the desk, an intriguing artifact emerges, having made a remarkable appearance in more than 10% of cases across a four-year period. Keeping a watchful eye on these packages is both feasible and beneficial. By incorporating a default-block coverage mechanism into your programming, you can reap long-term benefits while minimizing upfront effort; this strategic approach enables you to stay ahead of the curve as attackers continually refine and expand their toolkit capabilities.
It has been a privilege for the AAR evaluation and writing team to observe how statistics have evolved as we incorporated the vast dataset from Sophos X-Ops’ MDR group, combined with the comprehensive, years-long database from our Incident Response colleagues. The investigation into information gathering methods yielded fascinating insights, revealing the surprising potential for LOLbins to captivate and inspire. And to patterns akin to RDP abuse, resistant to best practices such as vigilant monitoring.
While we remain fascinated by the multifaceted examples that revolve around core principles – including the three enshrined in the Sophos “haiku” –
While the notion of effortless sampling might have potentially deterred clients from participating in such a dataset-like phenomenon. We anticipate that a concise and comprehensive review of the latest Energetic Adversary Report will enable professionals to refocus on fundamental best practices, ultimately contributing to enhanced safety and security for all.
We would like to express our gratitude to Chester Wisniewski, Anthony Bradshaw, and Matt Wixey for their valuable contributions to the AAR course.
We focused on 190 instances that can be meaningfully analyzed to provide valuable insights into the state of the adversarial landscape as of the first half of 2024. Defending the confidential relationship between Sophos and its clients is our top priority, ensuring the anonymity of all parties involved. To achieve this, we have thoroughly vetted the data at multiple stages to guarantee that no individual client can be identified through this information and that their data does not unfairly skew the overall picture. In instances where specific cases were unclear, we omitted the corresponding buyer’s data from the dataset.
We should have thoroughly documented and taken lessons from a lengthy, complex matter that had our Medical Device Regulatory team fully engaged for an extended period. The specific case, which involved nation-state exercises in various locations, has been extensively covered elsewhere as “.” While intriguing and, in some respects, a harbinger for certain assault tactics seen subsequently, it is, in numerous ways, an outlier compared to the vast majority of the Energetic Adversary dataset, prompting our decision to exclude its numbers from the report.
The analysis of 1H24 data encompasses a comprehensive representation of 48 nations and diverse geographic locations.
| Angola | Honduras | Poland |
| Argentina | Hong Kong | Qatar |
| Australia | India | Romania |
| Austria | Israel | Saudi Arabia |
| Bahamas | Italy | Singapore |
| Bahrain | Japan | Slovenia |
| Belgium | Kenya | Somalia |
| Botswana | Kuwait | South Africa |
| Brazil | Malaysia | Spain |
| Canada | Mexico | Sweden |
| Chile | Netherlands | Switzerland |
| Colombia | New Zealand | Taiwan |
| Egypt | Nigeria | Thailand |
| Finland | Panama | United Arab Emirates |
| France | Papua New Guinea | United Kingdom |
| Germany | Philippines | United States of America |
The following 29 industries are represented in the 1H24 data examined for this report:
| Promoting | Monetary | MSP/Internet hosting |
| Agriculture | Meals | Non-profit |
| Structure | Authorities | Pharmaceutical |
| Communication | Healthcare | Actual property |
| Building | Hospitality | Retail |
| Training | Info Know-how | Providers |
| Electronics | Authorized | Transportation |
| Power | Logistics | Utilities |
| Engineering | Manufacturing | Wholesale |
| Leisure | Mining |
The incident response and managed detection and response teams from Sophos’ X-Ops group conducted individualized investigations to gather the data presented in this report.
The second report of 2024 consolidates case information from all investigations conducted by groups within the first six months of the year, standardizing it across 63 fields. Each case was meticulously analyzed to ensure that available data was applicable and suitable for consolidation reporting, aligned with the scope defined by the report’s target. We successfully endeavored to harmonize the information between our Medical Device Reporting (MDR) and Incident Report (IR) processes.
In instances where data was ambiguous or lacking, the authors collaborated closely with individual patients to clarify any queries or concerns arising from their IR and MDR cases. Occurrences unclear enough to compromise the report’s objectives were set aside, as well as those whose inclusion could have jeopardized our relationship with Sophos’ clients through potential harm or negative publicity. After examining the remaining cases’ timelines, we gained further insight into crucial factors such as initial access, prolonged presence, and exit strategies, thereby enhancing our understanding of these critical events. We preserved 190 data points, with individuals serving as the inspiration for our findings.
