Sophos, a global leader of innovative security solutions that defeat cyberattacks, today released the Active Adversary analysis, “It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024.”

The report, which analyzes more than 150 incident response (IR) cases handled by the Sophos X-Ops IR team in 2023, found that cybercriminals abused remote desktop protocol (RDP)—a common method for establishing remote access on Windows systems—in 90% of attacks.

This was the highest incidence of RDP abuse since Sophos began releasing its Active Adversary reports in 2021, covering data from 2020.

In addition, external remote services such as RDP were the most common vector by which attackers initially breached networks; they were the method of initial access in 65% of IR cases in 2023.

External remote services have consistently been the most frequent source of initial access for cybercriminals since the Active Adversary reports were launched in 2020, and defenders should consider this a clear sign to prioritize the management of these services when assessing risk to the enterprise.

“External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond. Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side,” said John Shier, field CTO, Sophos.

In one Sophos X-Ops customer case, attackers successfully compromised the victim four times within six months, each time gaining initial access through the customer’s exposed RDP ports.

Once inside, the attackers continued to move laterally throughout the customer’s networks, downloading malicious binaries, disabling endpoint protection, and establishing remote access.

Compromised credentials and exploiting vulnerabilities are still the two most common root causes of attacks. However, the 2023 Active Adversary Report for Tech Leaders, released last August, found that in the first half of that year, for the first time, compromised credentials surpassed vulnerabilities as the most frequent root cause of attacks.

This trend continued through the rest of 2023, with compromised credentials representing the root cause of over 50% of IR cases for the entire year.

When looking at Active Adversary data cumulatively over the years from 2020 through 2023, compromised credentials were also the number one “all-time” root cause of attacks, involved in nearly a third of all IR cases.

Yet despite the historical prevalence of compromised credentials in cyberattacks, in 43% of IR cases in 2023, organizations did not have multi-factor-authentication configured.

Exploiting vulnerabilities was the second most common root cause of attacks, both in 2023 and when analyzing data cumulatively from 2020 through 2023, accounting for the root cause in 16% and 30% of IR cases, respectively.

“Managing risk is an active process. Organizations that do this well experience better security situations than those that don’t in the face of continuous threats from determined attackers. An important aspect of managing security risks, beyond identifying and prioritizing them, is acting on the information. Yet, for far too long, certain risks such as open RDP continue to plague organizations, to the delight of attackers who can walk right through the front door of an organization. Securing the network by reducing exposed and vulnerable services and hardening authentication will make organizations more secure overall and better able to defeat cyberattacks,” said Shier.

The Sophos Active Adversary Report for 1H 2024 is based on more than 150 incident response (IR) investigations spanning the globe across 26 sectors.

Targeted organizations are located in 23 different countries, including the United States, Canada, Mexico, Colombia, the United Kingdom, Sweden, Switzerland, Spain, Germany, Poland, Italy, Austria, Belgium, the Philippines, Singapore, Malaysia, India, Australia, Kuwait, the United Arab Emirates, Saudi Arabia, South Africa, and Botswana.

To learn more about the current adversary landscape, read It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024 on Sophos.com.

Sophos, a global leader in innovating and delivering cybersecurity as a service, today published findings of a new survey, “The Reality of SMB Cloud Security in 2022.”

The survey found that, among Infrastructure as a Service (IaaS) users, 56% experienced an increase in the volume of attacks on their organization when compared to the previous year, and 67% were hit by ransomware. In addition, 59% experienced an increase in complexity of attacks.

For many of these users, a lack of visibility into their infrastructure, unpatched vulnerabilities and resource misconfigurations make them susceptible to various types of attacks, including ransomware. Of those surveyed, only 37% track and detect resource misconfigurations and only 43% routinely scan IaaS resources for software vulnerabilities.

What’s more, 65% of cloud users reported not having visibility of all resources and their configurations, and only 33% said their organization has the resources to continuously detect, investigate and remove threats in their IaaS infrastructure.

“It is imperative that security is prioritized as organizations continue to adopt cloud services. This includes implementing traditional threat-based protections, as well as risk-based mitigations. Unpatched vulnerabilities and misconfigured resources are both preventable mistakes and avoidable risks that make life easier for attackers. Most attackers are not unstoppable criminal masterminds, but rather opportunistic cyberthugs looking for an easy payday,” said John Shier, senior security advisor, Sophos.

“However, the survey also found that more advanced IaaS users are twice as likely to report a decrease in attack impact than beginners, suggesting the appropriate defense mechanisms can go a long way in deterring threat actors. For users who need help, we recommend security services that have the 24/7 experts who can detect and quickly respond to active attacks,” he added.

The Reality of SMB Cloud Security in 2022 survey polled 4,984 IT professionals in small and mid-sized organizations.

The findings show a 36% increase in attacker dwell time, with a median intruder dwell time of 15 days in 2021 versus 11 days in 2020.

The report also reveals the impact of ProxyShell vulnerabilities in Microsoft Exchange, which Sophos believes some Initial Access Brokers (IABs) leveraged to breach networks and then sell that access to other attackers.

“The world of cybercrime has become incredibly diverse and specialized. IABs have developed a cottage cybercrime industry by breaching a target, doing exploratory reconnaissance or installing a backdoor, and then selling the turn-key access to ransomware gangs for their own attacks,” said John Shier, senior security advisor at Sophos. “In this increasingly dynamic, specialty-based cyberthreat landscape, it can be hard for organizations to keep up with the ever-changing tools and approaches attackers use. It is vital that defenders understand what to look for at every stage of the attack chain, so they can detect and neutralize attacks as fast as possible.”

Sophos’ research also shows that attacker dwell time was longer in smaller organizations’ environments. Attackers lingered for approximately 51 days in organizations with up to 250 employees, while they typically spent 20 days in organizations with 3,000 to 5,000 employees.

“Attackers consider larger organizations to be more valuable, so they are more motivated to get in, get what they want and get out. Smaller organizations have less perceived ‘value,’ so attackers can afford to lurk around the network in the background for a longer period. It’s also possible these attackers were less experienced and needed more time to figure out what to do once they were inside the network. Lastly, smaller organizations typically have less visibility along the attack chain to detect and eject attackers, prolonging their presence,” said Shier. “With opportunities from unpatched ProxyLogon and ProxyShell vulnerabilities and the uprise of IABs, we’re seeing more evidence of multiple attackers in a single target. If it’s crowded within a network, attackers will want to move fast to beat out their competition.”

Additional key findings in the playbook include:

• The median attacker dwell time before detection was longer for “stealth” intrusions that had not unfolded into a major attack such as ransomware, and for smaller organizations and industry sectors with fewer IT security resources. The median dwell time for organizations hit by ransomware was 11 days. For those that had been breached, but not yet affected by a major attack, such as ransomware (23% of all the incidents investigated), the median dwell time was 34 days. Organizations in the education sector or with fewer than 500 employees also had longer dwell times

• Longer dwell times and open entry points leave organizations vulnerable to multiple attackers. Forensic evidence uncovered instances where multiple adversaries, including IABs, ransomware gangs, cryptominers, and occasionally even multiple ransomware operators, were targeting the same organization simultaneously

• Despite a drop in using Remote Desktop Protocol (RDP) for external access, attackers increased their use of the tool for internal lateral movement. In 2020, attackers used RDP for external activity in 32% of the cases analyzed, but this decreased to 13% in 2021. While this shift is a welcome change and suggests organizations have improved their management of external attack surfaces, attackers are still abusing RDP for internal lateral movement. Sophos found that attackers used RDP for internal lateral movement in 82% of cases in 2021, up from 69% in 2020

• Common tool combinations used in attacks provide a powerful warning signal of intruder activity. For example, the incident investigations found that in 2021 PowerShell and malicious non-PowerShell scripts were seen together in 64% of cases; PowerShell and Cobalt Strike combined in 56% of cases; and PowerShell and PsExec were found in 51% of cases. The detection of such correlations can serve as an early warning of an impending attack or confirm the presence of an active attack

• Fifty percent of ransomware incidents involved confirmed data exfiltration – and with the available data, the mean gap between data theft and the deployment of ransomware was 4.28 days. Seventy-three percent of incidents Sophos responded to in 2021 involved ransomware. Of these ransomware incidents, 50% also involved data exfiltration. Data exfiltration is often the last stage of the attack before the release of the ransomware, and the incident investigations revealed the mean gap between them was 4.28 days and the median was 1.84 days

• Conti was the most prolific ransomware group seen in 2021, accounting for 18% of incidents overall. REvil ransomware accounted for one in 10 incidents, while other prevalent ransomware families included DarkSide, the RaaS behind the notorious attack on Colonial Pipeline in the U.S. and Black KingDom, one of the “new” ransomware families to appear in March 2021 in the wake of the ProxyLogon vulnerability. There were 41 different ransomware adversaries identified across the 144 incidents included in the analysis. Of these, around 28 were new groups first reported during 2021. Eighteen ransomware groups seen in incidents in 2020 had disappeared from the list in 2021

“The red flags that defenders should look out for include the detection of a legitimate tool, combination of tools, or activity in an unexpected place or at an uncommon time,” said Shier. “It is worth noting that there may also be times of little or no activity, but that doesn’t mean an organization hasn’t been breached. There are, for instance, likely to be many more ProxyLogon or ProxyShell breaches that are currently unknown, where web shells and backdoors have been implanted in targets for persistent access and are now sitting silently until that access is used or sold.

“Defenders need to be on the alert for any suspicious signals and investigate immediately. They need to patch critical bugs, especially those in widely used software, and, as a priority, harden the security of remote access services. Until exposed entry points are closed and everything that the attackers have done to establish and retain access is completely eradicated, just about anyone can walk in after them, and probably will.”

The Sophos Active Adversary Playbook 2022 is based on 144 incidents in 2021, targeting organizations of all sizes, in a wide range of industry sectors, and located in the U.S., Canada, the U.K., Germany, Italy, Spain, France, Switzerland, Belgium, Netherlands, Austria, the United Arab Emirates, Saudi Arabia, the Philippines, the Bahamas, Angola, and Japan.

The most represented sectors are manufacturing (17%), followed by retail (14%), healthcare (13%), IT (9%), construction (8%), and education (6%).  

The aim of Sophos’ report is help security teams understand what adversaries do during attacks and how to spot and defend against malicious activity on the network. To learn more about attacker behaviors, tools and techniques, read the Sophos Active Adversary Playbook 2022 on Sophos News.