{"id":25570,"date":"2024-12-12T09:21:16","date_gmt":"2024-12-12T17:21:16","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/12\/12\/news-19299\/"},"modified":"2024-12-12T09:21:16","modified_gmt":"2024-12-12T17:21:16","slug":"news-19299","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/12\/12\/news-19299\/","title":{"rendered":"The Bite from Inside: The Sophos Active Adversary Report"},"content":{"rendered":"<p><strong>Credit to Author: Angela Gunn| Date: Thu, 12 Dec 2024 14:00:56 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>It\u2019s not news that 2024 has been a tumultuous year on many fronts. For our <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/04\/03\/active-adversary-report-1h-2024\/\" target=\"_blank\" rel=\"noopener\">second<\/a> Active Adversary Report of 2024, we\u2019re looking specifically at patterns and developments we noted during the first half of the year (1H24). Though the year itself was in many ways unremarkable on the surface for those charged with the security of small- and medium-scale enterprises \u2013 the war between attackers and defenders raged on, as ever \u2013 we see some remarkable activity just below that surface.<\/p>\n<h3><strong>Key takeaways<\/strong><\/h3>\n<ul>\n<li>Abuse of built-in Microsoft services (LOLbins) is up &#8212; way up<\/li>\n<li>RDP abuse continues rampant, with a twist<\/li>\n<li>The ransomware scene: Banyans vs poplars<\/li>\n<\/ul>\n<h3><strong>Where the data comes from<\/strong><\/h3>\n<p>The data for this report is drawn from cases handled in the first half of 2024 by a) our external-facing IR team and b) the response team that handles critical cases occurring among our Managed Detection and Response (MDR) customers. Where appropriate, we compare findings from the 190 cases selected for this report with data amassed from previous Sophos X-Ops casework, stretching back to the launch of our Incident Response (IR) service in 2020.<\/p>\n<p>For this report, 80 percent of the dataset was derived from organizations with fewer than 1000 employees. This is lower than the 88 percent in our last report; the difference is primarily (but not entirely) due to the addition of MDR\u2019s cases to the mix. Just under half (48%) of organizations requiring our assistance have 250 employees or fewer.<\/p>\n<p>And what do these organizations do? As has been the case in our <a href=\"https:\/\/news.sophos.com\/en-us\/tag\/active-adversary-report\/\" target=\"_blank\" rel=\"noopener\">Active Adversary Reports<\/a> since we began issuing them in 2021, the manufacturing sector was the most likely to request Sophos X-Ops response services, though the percentage of customers hailing from Manufacturing is down sharply, from 25 percent in 2023 to 14 percent in the first half of 2024. Construction (10%), Education (8%), Information Technology (8%), and Healthcare (7%) round out the top five. In total, 29 different industry sectors are represented in this dataset. Further notes on the data and methodology used to select cases for this report can be found in the Appendix.<\/p>\n<p>The balance of the report analyzes our findings, as listed in the key takeaways above, and provides updates on a selection of issues raised by previous editions of the report. Analysis of the full dataset for 2024 will be undertaken in the next edition of the report, slated for early 2025.<\/p>\n<h2><strong>Born to run (natively): LOLbin use on a rapid rise<\/strong><\/h2>\n<p>LOLbins \u2013 abused-but-legitimate binaries already present on the machine or commonly downloaded from legitimate sources associated with the OS \u2013 have always been part of the Active Adversary landscape. We contrast these to the findings we call \u201cartifacts,\u201d which are third-party packages brought onto the system illegitimately by attackers (e.g., mimikatz, Cobalt Strike, AnyDesk). LOLbins are legitimate files, they are signed, and when used in seemingly benign ways they are less likely to draw a system administrator\u2019s attention.<\/p>\n<p>We saw a modest increase this year in the use and variety of artifacts, and we will look at those changes later in this report. The rise in LOLbins, however, is arresting. (For the purposes of this edition of the report, we are mainly focusing on binaries in the Microsoft Windows operating system, though we also see these abused in other OSes.) In the first half of 2024, we found 187 unique Microsoft LOLbins used among our 190 cases \u2013 over a third of them (64) appearing just once in our dataset. This represents a rise of 51 percent over 2023\u2019s LOLbin numbers. The overall rise in LOLbin counts since 2021 is shown in Figure 1.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-01.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-958794\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-01.png\" alt=\"A bar chart showing an increase in LOLbins in the span between 2021 and the first half of 2024; the totals increased from just over 100 to nearly 190\" width=\"640\" height=\"357\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-01.png 876w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-01.png?resize=300,167 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-01.png?resize=768,428 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 1: The abrupt rise in LOLbin use in 1H24 comes after years of slow increase in usage<\/em><\/p>\n<p>Just three years ago, our 2021 statistics showed that artifacts were more than twice as common as LOLbins in our cases. Now the ratio is closer to 5:4, as shown in Figure 2.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-02.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-958795\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-02.png\" alt=\"A stacked bar chart showing the relationship between artifact and LOLbin counts between 2021 and the first half of 2024, as described in text\" width=\"640\" height=\"385\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-02.png 930w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-02.png?resize=300,181 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-02.png?resize=768,462 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 2: The use of both artifacts and LOLbins is increasing overall, and attackers are throwing more of both at the wall to see what sticks. In a particular incident this year, the responding team noted 14 artifacts and 39 LOLbins in play<\/em><\/p>\n<p>Which LOLbins are attackers using? Leading the pack as always is RDP, about which we\u2019ll have more to say in the next section. We found 29 specific LOLbins in use in at least 10 percent of cases; their names and prevalence are shown in Figure 3. This represents a substantial increase over last year\u2019s distribution, where only 15 of the 124 unique LOLbins spotted appeared in over 10 percent of cases.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-03.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-958796\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-03.png\" alt=\"A bar chart showing the prevalence of the top 29 LOLbins noted in the first half of 2024, ranging from RDP at just under 90 percent to findstr.exe at 10 percent\" width=\"640\" height=\"284\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-03.png 1157w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-03.png?resize=300,133 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-03.png?resize=768,341 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-03.png?resize=1024,454 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 3: The most commonly logged LOLbins of 1H24; all of these appeared in at least 10 percent of cases<\/em><\/p>\n<p>For the most part the names in the figure above are no surprise to regular readers of the Active Adversary Report \u2013 RDP rules the landscape, with cmd.exe, PowerShell, and net.exe making their usual strong showing. However, we can see increased use of even some of those familiar LOLbins in Figure 4, which also shows the percentage increase in usage for every LOLbin seen in over 10 percent of 1H24 cases. Note the prevalence of binaries used for discovery or enumeration \u2013 16, by our count.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-04.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-958797\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-04.png\" alt=\"A table showing the changes in prevalence of the top 29 1H24 LOLbins between 2023 and the first half of the year; all but five of the listed LOLbins increased in frequency of usage\" width=\"640\" height=\"377\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-04.png 1031w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-04.png?resize=300,177 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-04.png?resize=768,453 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-04.png?resize=1024,604 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 4: Of the top 29 LOLbins we saw in use during 1H24, only five were observed less frequently than they were in 2023. (LOLbins for which usage changed substantially \u2013 either 15 percent higher or lower than in the previous year\u2019s data \u2013 are indicated above with double arrows). Please note that in the context of this list, \u201cTask Scheduler\u201d includes both Task Scheduler and schtasks.exe, while WMI includes the now-deprecated WMIC<\/em><\/p>\n<p>What\u2019s a defender to do? First, this change in tooling means that it isn\u2019t enough to just keep an eye on your network for items that don\u2019t belong. Every LOLbin is in some way part of the operating system, from RDP down to fondue.exe, <a href=\"https:\/\/www.youtube.com\/watch?v=SXmv8quf_xM\" target=\"_blank\" rel=\"noopener\">tracert.exe<\/a>, and time.exe (three of the one-use-only LOLbins we spotted in the data). More than ever, it\u2019s crucial to understand who\u2019s on your network and what they should be doing. If Alice and Bob from IT are doing things with PowerShell, probably okay. If Mallory from PR is doing things with PowerShell, ask questions.<\/p>\n<p>In addition, logging and well-informed network monitoring are key. At one point in our analysis we asked ourselves whether the increases we were seeing were perhaps merely the result of incorporating the data from our MDR team. After normalizing the data we were able to conclude that they\u2019re not, but we were once again startled by the difference having MDR-type eyes on the system makes when it comes to both initial access and impact. (More on those in a minute.)<\/p>\n<p>To learn more about LOLbins, including functions of individual binaries and where they (usually) fit into the MITRE ATT&amp;CK framework, we recommend visiting the <a href=\"https:\/\/lolbas-project.github.io\/\" target=\"_blank\" rel=\"noopener\">LOLBAS<\/a> collaborative project on Github.<\/p>\n<h2><strong>RDP (stands for Repeating the Damn Problem)<\/strong><\/h2>\n<p>For a report that enjoys throwing in pop-music references, Active Adversary sounds like a broken record: RDP, <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-the-series\/\" target=\"_blank\" rel=\"noopener\">RDP<\/a>, <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/12\/rd-web-access-abuse-fighting-back\/\" target=\"_blank\" rel=\"noopener\">RDP<\/a>. As shown in the figures above, RDP is undefeated as a source of infosecurity woe, with just under 89 percent of the cases we saw in 1H24 showing some indication of RDP abuse.<\/p>\n<p>Looking more closely at the cases involving RDP, there\u2019s not much change in whether attacks used RDP internally or externally. These statistics have been stable over the years, as shown in Figure 5.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-05.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-958798\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-05.png\" alt=\"A table showing RDP usage in attacks in 2022, 2023, and the first half of 2024\" width=\"640\" height=\"272\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-05.png 1216w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-05.png?resize=300,128 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-05.png?resize=768,327 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-05.png?resize=1024,435 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 5: In 2022 and 2023, there were several cases in which attackers kicked over the traces of their RDP activity so thoroughly that the responding team could not confidently discern exactly which actions had been successful; 1H24 was better in that aspect at least<\/em><\/p>\n<p>Looking just outside this report\u2019s timeframe, the monotony of RDP abuse statistics was only slightly broken in September by Microsoft\u2019s announcement that the company is <a href=\"https:\/\/www.itbrew.com\/stories\/2024\/10\/02\/microsoft-s-new-windows-app-will-replace-the-remote-desktop-client\" target=\"_blank\" rel=\"noopener\">rolling out<\/a> a multiplatform \u201cWindows App\u201d (this is its name) designed to provide remote access to Windows 10 and 11 machines from \u201cwork or school accounts,\u201d with RDP access promised later. However, despite the company\u2019s <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/windows-itpro-blog\/windows-app-general-availability-coming-soon\/4206647\" target=\"_blank\" rel=\"noopener\">claims<\/a> of enhanced security including multifactor authentication capability, most observers were quick to describe Windows App as primarily a rebrand of the Remote Desktop client. Whether our next Active Adversary Report has happy news of a drop in RDP abuse or not, only time will tell.<\/p>\n<h2><strong>Shaking the tree: The poplars and banyans of ransomware<\/strong><\/h2>\n<p>Turning our attention now to ransomware, a stroll through the data on ransomware infections led to an interesting observation: When it comes to attribution, the corollary between high-profile ransomware takedowns and diminished presence on our charts isn\u2019t always as strong as one would hope.<\/p>\n<p>In our experience, some years have one dominant ransomware brand that overshadows the others like the canopy of a banyan tree, and other years distribute the ransomware cases relatively evenly among multiple brands, like a row of poplars. The difference generally corresponds with legal disruptions (\u201ctakedowns\u201d) of high-profile ransomware groups. However, the first half of 2024 did not reflect this pattern in our data. LockBit was the dominant ransomware of 2023, but was the subject of a law-enforcement disruption in late February 2024. Despite that, LockBit remained the dominant ransomware seen by the IR team in the first half of the year.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-06.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-958799\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-06.png\" alt=\"Five funnel-shaped charts showing the prevalence of ransomware attributions between 2020 and the first half of 2024; in this format they resemble different types of trees as described in text\" width=\"640\" height=\"261\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-06.png 1114w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-06.png?resize=300,122 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-06.png?resize=768,313 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-06.png?resize=1024,417 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 6: Poplar, banyan, poplar, banyan\u2026 banyan?! The pattern we\u2019ve observed in ransomware attributions over the past several years seems to have broken down in 1H24 with LockBit\u2026 maybe. (Two of the labels above are truncated for space; \u201cREvil&#8230;.\u201d is more fully \u201cREvil \/ Sodinokibi,\u201d while \u201cALPHV&#8230;.\u201d is \u201cALPHV\/BlackCat\u201d)<\/em><\/p>\n<p>To be fair, legal action ultimately doesn\u2019t make a huge dent in the overall ransomware scene \u2013 it disrupts the targeted threat actor, but does not permanently stop most of the entities involved. With every major legal action, the sheer number of other brands jockeying for position means that the gap is filled, and then some. Notice that Conti represented a mere 6 percent of infections seen in 2020\u2026 and then first Ryuk (2020) and Revil (2021) were hit by takedowns of the gang or, in Ryuk\u2019s case, the Trickbot distribution system on which it relied. After that Conti (likely <a href=\"https:\/\/x.com\/VK_Intel\/status\/1557003350541242369\" target=\"_blank\" rel=\"noopener\">descended from<\/a> Ryuk) flourished for a year (2021), but dropped to single-digit occurrence levels by the end of 2022. In LockBit\u2019s case, the proprietor of the brand attempted a mid-2024 \u201ccomeback,\u201d rebuilding its infrastructure and even restarting its blog. (A version of LockBit\u2019s ransomware builder was also famously <a href=\"https:\/\/rhisac.org\/threat-intelligence\/lockbit-3-0-builder-code-leak-technical-analysis\/\" target=\"_blank\" rel=\"noopener\">leaked<\/a> by a disgruntled associate in September 2022, which may affect its prevalence.)<\/p>\n<p>What\u2019s next? First, it is possible that the pattern will resolve itself in the data from the second half of the year \u2013 that is, the \u201cbanyan\u201d will morph into a \u201cpoplar\u201d as predicted. In the month or so after the LockBit takedown, Sophos\u2019 MDR and IR teams, respondents to our 2024 <a href=\"https:\/\/www.sophos.com\/en-us\/content\/state-of-ransomware\" target=\"_blank\" rel=\"noopener\">State of Ransomware<\/a> survey, and other industry observers all reported a decrease in LockBit infections. Those bounced up again <a href=\"https:\/\/www.theregister.com\/2024\/07\/31\/five_months_after_lockbit\/\" target=\"_blank\" rel=\"noopener\">for a while<\/a> in May; it\u2019s not unusual to see that sort of echo effect after a disruption by law enforcement, but eventually the echo does fade.<\/p>\n<p>Second, the name of the <em>next<\/em> ubiquitous ransomware is probably somewhere in the figure above, which means that even if system administrators might not want to place bets on any particular brand, the culprit is likely already on defenders\u2019 radar. Those looking to parry the next attack on their systems can start by keeping an eye on news concerning both known names and <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/04\/17\/junk-gun-ransomware-peashooters-can-still-pack-a-punch\/\" target=\"_blank\" rel=\"noopener\">up-and-comers<\/a>. It\u2019s perfectly reasonable to celebrate that creatures like <a href=\"https:\/\/cyberscoop.com\/mikhail-matveev-wazawaka-russia-charges\/\" target=\"_blank\" rel=\"noopener\">Mikhail Matveev<\/a> and <a href=\"https:\/\/news.sky.com\/story\/brit-investigators-smash-russian-networks-that-helped-hide-billions-in-drugs-ransomware-and-spying-operations-13266769\" target=\"_blank\" rel=\"noopener\">Ekaterina Zhdanova<\/a> are facing jail time, but the song isn\u2019t over.<\/p>\n<p>Overall, ransomware infections were down slightly in the first half of the year. For IR, 61.54 percent of cases handled involved ransomware, compared to 70.13 percent in 2023. (The slack was more than taken up by network breaches, which nearly doubled their incidence in IR cases \u2013 34.62 percent in 1H24, compared to 18.83 percent in 2023. Close examination of all data available to us causes us to suspect that the drop, though real, won\u2019t be as pronounced when the full year\u2019s numbers are analyzed.)<\/p>\n<p>Meanwhile, MDR handled mainly network breaches in 1H24, with just 25.36 percent of their cases chalked up to ransomware. It should be noted that MDR, due to the nature of the service, tends to encounter and contain ransomware far earlier in its infection cycle than the IR team does \u2013 usually, prior to encryption or deployment, which means that they never rise to the level of requiring response of the sort the Active Adversary Report covers. (Unfortunately, \u201cattack detected\u201d for the IR team often means \u201cthe customer realized that they might be under attack when they received a ransom note and all their computers were bricked.\u201d) For the MDR team, LockBit was already flattening out in prevalence by the end of June, with 17.14 percent of their ransomware attributions chalked up to that brand and both Akira and BlackSuit close on its heels at 11.43 percent apiece. (And completing the circle, both Akira and BlackSuit are descendants of\u2026 Conti. Same song, next verse.)<\/p>\n<h2><strong>Comin&#8217; in and out of your life: Initial access and impact<\/strong><\/h2>\n<p>The third and fourteenth steps of the <a href=\"https:\/\/attack.mitre.org\/\" target=\"_blank\" rel=\"noopener\">MITRE ATT&amp;CK Matrix<\/a> invariably attract reader interest; we have even written in a previous report about the differences we observed between two very <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/11\/14\/active-adversary-for-security-practitioners\/#cuba\" target=\"_blank\" rel=\"noopener\">similar cases<\/a> handled by our IR and MDR processes. For this report, we\u2019ll focus our MITRE-related analysis on the categories themselves, Initial Access and Impact.<\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0001\/\" target=\"_blank\" rel=\"noopener\">Initial Access<\/a> in the first half of 2024 looked much as it did in previous years. As one would expect from the RDP statistics, External Remote Services attack techniques ruled the category, representing 63.16 percent of cases compared to 2023\u2019s 64.94 percent. Valid Accounts (59.47%, down from 61.04%) and Exploit [of] Public-facing Application (30%, up from 16.88%) round out the top three. (Since cases may exhibit many combinations of initial-access techniques, the percentages will never add up to 100.)<\/p>\n<p>The situation is more interesting with <a href=\"https:\/\/attack.mitre.org\/tactics\/TA0040\/\" target=\"_blank\" rel=\"noopener\">Impact<\/a>, the final category in the MITRE matrix. After years of dominating the Impact category by factoring into a minimum of two-thirds of all cases, Data Encrypted for Impact (a typical step in ransomware attacks) tumbles to second place with 31.58 percent, just above up-and-comer Data Manipulation (30%) and trailing No Impact at 38.95 percent.<\/p>\n<p>We have written in the past about \u201cNo Impact\u201d meaning something a bit different when it comes to ATT&amp;CK. The latest edition of ATT&amp;CK lists fourteen techniques that it recognizes as \u201cImpact.\u201d These techniques are evolving to keep pace with current realities of ransomware payouts and lost productivity, and we have refined our analysis of previous case data to reflect those improvements (thus retroactively trimming down the number of cases for which the impact finding is No). But it may be too much to ask that the ATT&amp;CK category encompass intangibles such as reputational loss or <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/08\/12\/the-cybersecurity-kids-arent-all-right\/\" target=\"_blank\" rel=\"noopener\">staff burnout<\/a>. Incident responders are all too aware that nobody <em>wants<\/em> to need their services; though \u201cno\u201d impact sounds refreshing and pleasant, and though many of the MDR-handled cases were indeed triggered in time to block would-be attackers from succeeding in their objectives, \u201cNo Impact\u201d doesn\u2019t mean there was no impact \u2013 it means that whatever happened is beyond ATT&amp;CK\u2019s vocabulary to describe.<\/p>\n<h2><strong>Where are they now: Checking on previous AAR findings<\/strong><\/h2>\n<p>In an attempt to keep this edition of the report relatively short, there are a few topics of previous interest on which we\u2019ll touch briefly, in advance of our full-year 2024 report.<\/p>\n<p><em>Dwell time:<\/em> Dwell-time numbers have been dropping, as we showed in our <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/04\/25\/2023-active-adversary-report-for-business-leaders\/\" target=\"_blank\" rel=\"noopener\">first 2023 report<\/a>. The 1H24 numbers indicate that this decline has leveled off or even slightly reversed for cases handled by our Incident Response team. For ransomware, median dwell times hover at 5.5 days; factoring in all other types of incidents, the median lingers at 8 days. Though we do not yet have previous years\u2019 MDR cases available to the report team for analysis, a look at their 1H24 data shows what a difference monitoring makes \u2013 medians of 3 days for ransomware and one day for all types of incidents. Since the MDR cases requiring incident response are a very small sliver of all the activity MDR sees day-to-day, the effect of having watchful eyes in place is left as an exercise for the reader.<\/p>\n<p><em>Time-to-AD:<\/em> In <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/08\/23\/active-adversary-for-tech-leaders\/\" target=\"_blank\" rel=\"noopener\">our second 2023 report<\/a> we looked at the time it takes for attackers to gain control of the target\u2019s Active Directory &#8212; a point at which one can reasonably say that the target is compromised &#8212; and the interval from when the attacker gains control of AD to when the attack is detected. This is another statistic for which MDR\u2019s data varies radically from that compiled by IR. The IR numbers fluctuated in 1H24 from those of years past, with attackers taking about two hours longer to reach Active Directory (15.35 hours in 2023, 17.21 hours in 1H24). An apparent decrease in dwell time between AD acquisition and attack detection (29.12 hours in 1H24, down from 48.43 hours in 2023) is interesting and may merit scrutiny in the next report, if a larger accumulation of data reveals it to be a real development.<\/p>\n<p>We will note that the three versions of Active Directory we most frequently saw compromised were Server 2019 (43%), Server 2016 (26%), and Server 2012 (18%), together accounting for 87 percent of compromised AD servers. <em>All three of these versions are now out of mainstream Microsoft support<\/em>, even though Patch Tuesday release information still states which updates would apply to each version. If your systems are running on tired versions of Server, consider these numbers your wake-up call to update. (For those who follow our <a href=\"https:\/\/news.sophos.com\/en-us\/tag\/patch-tuesday\/\" target=\"_blank\" rel=\"noopener\">Patch Tuesday coverage<\/a>, we have started this month to relay more information on precisely which versions of Server are affected by each month&#8217;s patches.)<\/p>\n<p><em>Compromised credentials:<\/em> We also spotlighted the rise in compromised credentials as a root cause of attacks in <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/08\/23\/active-adversary-for-tech-leaders\/\" target=\"_blank\" rel=\"noopener\">our second 2023 report<\/a>. In 2023, 56 percent of all incidents had compromised credentials as their root cause. In the first half of 2024, that dominance was dialed back somewhat. Though compromised credentials were still the leading root cause overall for 2024, that number was led mainly by the IR cases, as shown in Figure 7. For MDR customers, exploited vulnerabilities led the root-cause leaderboard, though by less than one percent.<a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-07.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-958800\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-07.png\" alt=\"A table showing the root causes of 1H24 cases for the entire report, for IR's portion of the data, and for MDR's portion of the data\" width=\"640\" height=\"140\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-07.png 1280w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-07.png?resize=300,66 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-07.png?resize=768,168 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-07.png?resize=1024,224 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 7: The root causes of IR-handled and MDR-handled incidents varied, with cases more equally distributed among MDR and compromised credentials \u201cwinning\u201d in a walk for IR<br \/> <\/em><\/p>\n<h2><strong>Just a song about artifacts before I go<\/strong><\/h2>\n<p>As mentioned above, our data found not only LOLbins but third-party artifacts on the rise in the cases we saw in the first half of 2024. The rise in artifact usage is not as striking as that of the LOLbins, but a few aspects bear further discussion.<\/p>\n<p>First, the numbers are up, though slightly. We saw 230 unique artifacts on targeted systems in the first half of 2024, compared to 205 in all of 2023 \u2013 a 12 percent increase. (By way of comparison, 2022 had 204 artifacts; 2021 had 207.)<\/p>\n<p>Second, the names of the most commonly found artifacts don\u2019t much vary from year to year, as shown in Figure 8. We did note that Cobalt Strike usage continues the retreat it began in 2023, present in just 13.68 percent of infections in the first half. (In previous years, Cobalt Strike was at one point present in nearly half the cases, and it still sits atop the leaderboard of all-time artifact findings. Better defender detections for Cobalt Strike are likely leading to this drop.) 127 artifacts appear only once in the 1H24 data, which is less than 2023\u2019s 102 single-use findings.<\/p>\n<p><em><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-08.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-958801\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-08.png\" alt=\"A table showing changes in artifact prevalence in AAR cases from 2021 to the first half of 2024\" width=\"640\" height=\"177\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-08.png 1280w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-08.png?resize=300,83 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-08.png?resize=768,212 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-08.png?resize=1024,282 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/em><\/p>\n<p><em>Figure 8: The years-long trend toward more diverse artifact use continues, with no single artifact occurring in more than 30 percent of cases in the first half of 2024<\/em><\/p>\n<p>A defender learning that over half of all artifacts are single-use tools may perhaps despair of catching everything an attacker might throw at them. We would encourage that defender to look at the table above and remember that the supporting cast may change, but the \u201cstars\u201d of the Artifacts galaxy all shine on. The table above shows <em>every<\/em> artifact that appeared in over 10.00 percent of cases over the course of four years. Keeping a relentless eye out for these packages is both doable and useful. Consider developing and applying a default-block policy for applications on your systems; this requires a fair amount of work up front, but saves trouble as attackers expand their tool-usage repertoire.<\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>It has been an extraordinary gift to the AAR analysis and writing team to see how the statistics changed as we incorporated the large tranche of data from Sophos X-Ops\u2019 MDR group with the years-deep database from our IR colleagues. The process of interrogating the data led us to both remarkable landscape changes \u2013 who knew that LOLbins could be exciting? \u2013 and to patterns such as RDP abuse that remain resistant to best practices such as vigilant monitoring.<\/p>\n<p>Above all, though, we remain bemused by the number of cases that hinged on fundamentals \u2013 not just the three immortalized in the Sophos \u201chaiku\u201d<\/p>\n<h1><strong>Close exposed RDP ports,<\/strong><\/h1>\n<h1><strong>Use MFA, and<\/strong><\/h1>\n<h1><strong>Patch vulnerable servers.<\/strong><\/h1>\n<p>but simple pattern awareness that might have prevented customers from ever becoming part of a dataset such as this. It\u2019s our hope that a close, tight snapshot of the recent Active Adversary Report landscape aids practitioners to sharpen their focus on the fundamentals that can keep us all safer and more secure.<\/p>\n<h3><strong>Acknowledgements<\/strong><\/h3>\n<p>The authors wish to thank Chester Wisniewski, Anthony Bradshaw, and Matt Wixey for their contributions to the AAR process.<\/p>\n<h2><strong>Appendix: Demographics and methodology<\/strong><\/h2>\n<p>For this report, we focused on 190 cases that could be meaningfully parsed for useful information on the state of the adversary landscape as of the first half of 2024. Protecting the confidential relationship between Sophos and our customers is of course our first priority, and the data herein has been vetted at multiple stages during this process to ensure that no single customer is identifiable through this data \u2013 and that no single customer\u2019s data skews the aggregate inappropriately. When in doubt about a specific case, we excluded that customer\u2019s data from the dataset.<\/p>\n<p>We should make mention of a multi-year case that involved our MDR team. That case, which involved nation-state activity in several locations, has been covered elsewhere as \u201c<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-sophos-threat-hunting-unveils-multiple-clusters-of-chinese-state-sponsored-activity-targeting-southeast-asia\/\" target=\"_blank\" rel=\"noopener\">Crimson Palace<\/a>.\u201d Though fascinating and in many ways a bellwether for specific attack tactics we\u2019ve seen elsewhere since, it is in multiple ways such an outlier to the vast majority of the Active Adversary dataset that we\u2019ve chosen to leave its numbers out of the report.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-a1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-958802\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-a1.png\" alt=\"A world map showing locations in which cases appearing in this report occurred\" width=\"640\" height=\"330\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-a1.png 1280w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-a1.png?resize=300,154 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-a1.png?resize=768,395 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/aar2412-a1.png?resize=1024,527 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure A1: Here, there, and everywhere &#8212; it\u2019s Sophos X-Ops MDR and IR around the world (Map generation courtesy <a href=\"https:\/\/www.mapchart.net\/world.html\" target=\"_blank\" rel=\"noopener\">mapchart.net<\/a>)<\/em><\/p>\n<p>The following 48 nations and other locations are represented in the 1H24 data analyzed for this report:<\/p>\n<p>&nbsp;<\/p>\n<h3><strong>Industries<\/strong><\/h3>\n<p>The following 29 industries are represented in the 1H24 data analyzed for this report:<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"208\">Advertising<\/td>\n<td width=\"208\">Financial<\/td>\n<td width=\"208\">MSP\/Hosting<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Agriculture<\/td>\n<td width=\"208\">Food<\/td>\n<td width=\"208\">Non-profit<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Architecture<\/td>\n<td width=\"208\">Government<\/td>\n<td width=\"208\">Pharmaceutical<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Communication<\/td>\n<td width=\"208\">Healthcare<\/td>\n<td width=\"208\">Real estate<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Construction<\/td>\n<td width=\"208\">Hospitality<\/td>\n<td width=\"208\">Retail<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Education<\/td>\n<td width=\"208\">Information Technology<\/td>\n<td width=\"208\">Services<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Electronics<\/td>\n<td width=\"208\">Legal<\/td>\n<td width=\"208\">Transportation<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Energy<\/td>\n<td width=\"208\">Logistics<\/td>\n<td width=\"208\">Utilities<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Engineering<\/td>\n<td width=\"208\">Manufacturing<\/td>\n<td width=\"208\">Wholesale<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Entertainment<\/td>\n<td width=\"208\">Mining<\/td>\n<td width=\"208\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h3><strong>Methodology<\/strong><\/h3>\n<p>The data in this report was captured over the course of individual investigations undertaken by Sophos\u2019 X-Ops Incident Response and MDR teams. For this second report of 2024, we gathered case information on all investigations undertaken by the teams in the first half of the year and normalized it across 63 fields, examining each case to ensure that the data available was appropriate in detail and scope for aggregate reporting as defined by the focus of the proposed report. We further worked to normalize the data between our MDR and IR reporting processes.<\/p>\n<p>When data was unclear or unavailable, the authors worked with individual IR and MDR case leads to clear up questions or confusion. Incidents that could not be clarified sufficiently for the purpose of the report, or about which we concluded that inclusion risked exposure or other potential harm to the Sophos-client relationship, were set aside. We then dissected each remaining case\u2019s timeline to gain further clarity on such matters as initial ingress, dwell time, exfiltration, and so forth. We retained 190 cases, and those are the foundation of the report.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/12\/12\/active-adversary-report-2024-12\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/12\/shutterstock_2154147129.jpg\"\/><\/p>\n<p><strong>Credit to Author: Angela Gunn| Date: Thu, 12 Dec 2024 14:00:56 +0000<\/strong><\/p>\n<p>A sea change in available data fuels fresh insights from the first half of 2024<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[25396,30006,129,12657,30931,27339,25038,18324,24552,16771],"class_list":["post-25570","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-active-adversary","tag-active-adversary-report","tag-featured","tag-incident-response","tag-ir","tag-lolbins","tag-mdr","tag-rdp","tag-security-operations","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25570","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25570"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25570\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25570"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25570"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25570"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}