Sophos has released its latest Energetic Adversary Report under the title, offering a detailed look at the shifting behaviors and techniques of attackers in the first half of 2024. The data analyzed stems from approximately 200 incident-response cases handled by the Sophos X-Ops IR-Crew and Sophos X-Ops Managed Detection and Response Crew during the first six months of 2024.
The most crucial insight from recent research: Attackers increasingly utilize trusted applications and instruments on Windows systems, also referred to as “Living Off the Land” binary files (LOLbins). By attempting to evade detection, cybercriminals seek to prolong their stay in a compromised IT infrastructure, allowing them sufficient time to conduct reconnaissance and exploit vulnerabilities without being swiftly identified. Compared to 2023, Sophos recorded a 51% increase, and an even more pronounced 83% surge since 2021.
Among the 187 distinct Microsoft LOLbins illicitly repurposed in the first half of 2024, the Distant Desktop Protocol (RDP) emerges as the most frequently abused trusted application. From the analysis of 200 incident-response cases, attackers leveraged Remote Desktop Protocol (RDP) in a staggering 89% of instances. This dominance continues a trend that was first observed. At that time, a staggering 90% of all investigated IR cases were attributed to RDP abuse.
John Shier, Sophos’ Area CTO, warns that LOLbins don’t just conceal attackers’ activities but often inadvertently condone them, saying “LOLbins offer not only the possibility to hide an attacker’s actions, but unfortunately also a tacit approval of those activities.” While the misuse of other legitimate tools by defenders increasingly triggers alarm bells, the misuse of a Microsoft binary file often has the opposite effect, as it is an integral part of Windows and has legitimate use cases. To swiftly identify abuse, system administrators must have a thorough understanding of how these files are utilized within their environments. Without a nuanced and context-specific awareness of the IT environment, including continuous vigilance towards new and emerging events in the network, overstressed IT groups risk missing critical threat activities. To alleviate these issues, a modern Managed Detection and Response service can be employed, bringing in external experts to support overburdened IT groups.
- . Despite state-backed efforts to disrupt the primary leak website and infrastructure, LockBit struggled to regain its footing in February, ultimately emerging as the most prevalent ransomware group in the first half of 2024, accounting for approximately 21% of infections.
- . A pattern continues to emerge, first observed in earlier studies. Compromised login credentials remain the primary cause of attacks in a staggering 39% of cases, highlighting the persistent vulnerability of users to cyber threats. Although this represents a decline compared to the 56 percent recorded in 2023.
- . Attackers have compromised server versions of Energetic Listing from 2019, 2016, and 2012 at a rate of 87 percent. As all three of these versions no longer have a mainstream assist from Microsoft, they are an additional step before End-of-Life (EOL), making it impossible to receive patches without purchasing an additional support package from the company.
For comprehensive information on all particulars regarding the studies, refer to the extensive English-language blog article.
