Its Oh So Quiet The Sophos Active Adversary Report for 1H 2024 Sophos News

pThe first Sophos Active Adversary Report of 2024 presents what the Sophos XOps Incident Response IR team has learned about the current adversary landscape from tackling security crises around the world Our report is based on data from over 150 cases drawn from the 2023 workload of the IR team We provide more detail on the demographics represented in this analysis at the end of the reportppppAs has been standard for Sophos Active Adversary reports this edition incorporates data from previous years of IR casework stretching back to the launch of our IR service in 2020 While this report will primarily focus on the analysis of cases investigated by the IR team during 2023 we will also take a longer view of the data where applicable to understand any meaningful changes and trends and sometimes the lack thereofppA second report to be issued in late summer will incorporate data from the first half of 2024 in other words the cases we are working on right now and cases that have yet to occur The eternal battle between attackers and defenders has cycles inflection points and currents all its own Keeping a close eye on those rhythms even when things seem to be ohsoquiet is key for defenders looking to understand and reactppFor this report the data for which as always is drawn from the cases tackled by our externalfacing Incident Response team 88 of the dataset was derived from organizations with fewer than 1000 employees As in previous years over half 55 of organizations requiring our assistance have 250 employees or fewer Twelve percent of the organizations with which IR worked in 2023 were companies with over 1000 employees down from 19 in 2022 For a glimpse of data drawn from the combined forces of our IR and MDR teams but focused on the cohort of customers with 500 employees or fewer please see our sister publication the 2024 Sophos Threat ReportppAnd what do these organizations do For a fourth consecutive year the manufacturing sector 25 was the most likely to request Sophos IR services followed by information technology 10 retail 9 and services 9 In total 26 different sectors are represented in this dataset Further information on the data and methodology used to select cases for this report can be found in the AppendixppEditors note Since initial publication a sentence in the section Stats 2 To AD or not to AD Active Directory takes the stage has been fixed to reflect that mainstream support for Windows Server 2019 ended in January 2024ppAs has become the norm for most incident responsefocused reports throughout the industry ransomware maintained its dominance as the top attack type in 2023 with 70 of investigations resulting from a ransomware attack While there was some fluctuation on a quarterly basis ranging from 62 to 80 we believe that this yearly average is well within the margins of what is likely ransomwares background rateppFigure 1 As in previous years our Incident Response team conducted more investigations of ransomware cases than of any other type of attack in 2023 However our data indicates a large number of assessments outside the dataset that conform to Sophos definition of business email compromise Since just one of these assessments resulted in a full investigation they are lightly represented in the report dataset but the authors of this report may choose to publish findings concerning those assessments at a later dateppNetwork breach the perennial bridesmaid retained its spot with a 19 occurrence rate in 2023 While we cant be certain in all cases there is mounting evidence that many network breaches are indeed unsuccessful ransomware attacks For example we positively identified five network breaches 17 that were the work of known ransomware brands An interesting statistic emerged when comparing network breaches to ransomware attacks by quarter During the quarters where ransomware was at its lowest prevalence 67 in Q2 and 62 in Q3 network breaches were considerably above the yearly average 21 in Q2 and 28 in Q3ppppFigure 2 During 2021 and 2022 cycles in the number of ransomware cases and network breaches seemed to have mild congruence when ransomware was up breaches were generally up In mid2023 however ransomware dropped just as breaches spiked not as striking as the fullon reversal of fortunes in November 2021 but perhaps more significantppWhat can be deduced about this from the data itself Hard to say with even medium confidence but its possible that the set of victims during these two quarters were better prepared to detect ransomware operators and evict them before the real damage was done or the attackers were distracted during the nicest time of the year in SochippThe attack types that have seen the most change in our dataset are data extortion and data exfiltration We define data extortion as data was stolen and a payment was demanded to suppress andor delete it Data exfiltration omits the payment portion the data was stolen and either exposed to the public or not Our yearend tally saw data extortion attacks double over the previous year with data exfiltration attacks halving Most of the data extortion attacks we investigated were perpetrated in the first half of the year by BianLian which switched to extortiononly attacks in January 2023ppThe remaining attack types for 2023 are business email compromise web shell loader and DDoS Each accounted for less than 1 of investigated casesppFigure 3 Known impacts of the 2023 cases since one case may ultimately result in multiple impacts the total is greater than our case count of 154ppThe outcome of attacks is the tactic category that the MITRE ATTCK framework calls Impact TA0040 It should come as no surprise that the Data Encrypted for Impact T1486 technique is leading the pack When ransomware is the numberone attack type this will be the numberone impact As an adjunct to encryption many attackers perform other tasks or deploy additional payloads that can be labelled For example an oftenobserved epiphenomenon is the pairing of Inhibit System Recovery T1490 with Data Encrypted for ImpactppThe next most prevalent impact was what we call no impact This is tightly coupled with network breaches There is no doubt in our minds and we hope most will agree that an attacker having privileged access to your network constitutes some sort of impact And while MITREs techniques cover a lot of ground there is no discrete technique that adequately describes this phenomenonppNotably MITRE released an update to its framework in October 2023 One of the changes was to add the Financial Theft T1657 technique to the Impact tactic A stated reason for these changes was for encompassing more activities that are adjacent to yet lead to direct network interactions or impacts This is a welcome addition as it allows us to properly label the outcomes of data extortion and exfiltration attacks where previously there was noneppWhich segues nicely to the next most prevalent impact Financial Theft The increase in this type of data extortion led to a commensurate doubling in this technique which overtook Resource Hijacking in the 2023 ranking while Resource Hijacking has dropped to onethird of its 2022 rate This technique is sometimes the result of attackers using compromised systems for spam campaigns as is the case in many SquirrelWaffle infections but most often the technique denotes a coin miner being present on the network It is unclear why coin miners are in decline other than the fact that they arent terribly lucrativeppWith the exception of one Network Denial of Service attack against an entity in the Education sector the remaining techniques in our dataset were secondary impacts paired with ransomware attacksppFigure 4 Family distribution of ransomware cases evaluated in 2023 For the entry marked with an asterisk the attacker installed Windows BitLocker services to both encrypt files and remove volume shadow copies For the entries marked with two asterisks theres a possibility these are the same thing as discussed belowppFew threat landscape analyses are complete without an attribution discussion While we wont pontificate at length over who was behind many of these attacks we can present the facts as we saw them Naturally the most reliable attributions come from ransomware attacks This is because the attackers tell you which brand of ransomware was deployed on your network through file extensions often ransom notes always and data leak portals sometimes Like so many telemarketers most ransomware brands exist as ransomwareasaservice offerings which allows criminals to represent more than one outletppLockBit maintains the top spot for most prolific ransomware brand of the year for the second year running finally displacing Conti in our alltime ranking More than onefifth of ransomware attacks we investigated in 2023 deployed LockBitppppFigure 5 LockBit dominated the 2023 standings more strongly than any single ransomware family has since the heyday of Conti in 2021 then as now the secondplace family represented a mere half of the leaders totalppOne notable entrant in the ransomware landscape was Akira First launched in March 2023 this upandcoming brand placed second in our ranking displacing other notable brands like ALPHVBlackCat Royal likely rebranded in 2023 as BlackSuit and Black Basta Were we to combine Royal and BlackSuit on our chart it would be in fourth place in the ranking But this level of breakaway success doesnt necessarily mean infallibility One of the cases we investigated as a network breach was found to be a failed Akira attack as were cases involving ALPHV Black Basta Everest and Vice Society Had these attacks succeeded they would have increased the ransomware share to 73 with a proportional drop in the network breach percentageppThe top five ransomware brands were responsible for over half 55 of all ransomware attacks which is not surprising considering the pedigrees of some of these brands Akira and Royal have both been linked to the Ryuk branch of ransomware families which as many will know begat the Conti ransomware group and its many descendants If we expand to the top 10 we find two more of Contis alleged progeny Black Basta 6 and BlackByte 8 Of the data extortion groups we also find that Karakurt has potential links to this prodigious branch Even LockBit is related in a sense because that group has been observed using some of Contis code after the leaks in 2022ppppFigure 6 Fruits of a poisoned tree Most modern ransomware families are related to a few founding entities starting with 2016s CryptoTech the uncertainty re the likely renaming of Royal to BlackSuit is reflected at lower right Source httpsgithubcomcertorangecyberdefenseransomwaremapblobmainOCDWorldWatchRansomwareecosystemmappdf of which this diagram is just a small portionppppFigure 7 A closer look from 2022 at the somewhat inbred Conti family Source httpstwittercomVKIntelstatus1557003350541242369photo1ppIts tempting to think that theres something special about these groups but there isnt Modern ransomware turned 10 years old in midSeptember 2023 The reality is that many of the individuals behind these groups have been active for a while and have had plenty of time and opportunity to hone their skills For various reasons ransomware groups come and go but weve also observed a few namely Cuba LockBit Phobos and Snatch that have been part of our investigations since the first Active Adversary reportppFigure 8 BianLian dominated the dataextortion cases we saw though Cl0p made plenty of headlines its actual impact on our IR customers was vanishingly smallppOf the data extortion group BianLian led the way followed by Cl0p Hunters International and Karakurt The Hunters International attack was a failed ransomware attack but having stolen data they resorted to data extortion by demanding payment to suppress publication of the stolen datappKnowing who attacked you might offer some emotional rescue but it really doesnt matter except in one scenario If you intend to pay its absolutely necessary to confer with legal counsel beforehand in case the ransomware group in question has been designated as a sanctioned entity by your governmentppIn any case many ransomware attacks regardless of the branding on the ransom note are perpetrated by the same individuals or groups of individuals and they largely use the same tooling and infrastructure What matters most in the incidentresponse context is how the attackers breached the organization and why they succeeded This allows for full remediation and recoveryppFigure 9 Initial access methods when discernible in the course of investigation exhibited a bit of diversity in 2023 As one would expect some cases reveal multiple plausible initialaccess scenarios Most significantly of the 78 Valid Accounts cases we saw in only one was Valid Accounts the primary method in the other 77 it was a contributing factor in cases involving Remote ServicesppFigure 10 As for root causes compromised credentials top the fullyear charts for the first time ever in 2023ppThe MITRE tactic and the associated techniques that describe how an attacker managed to infiltrate the target are grouped under Initial Access TA0001 whereas Root Causes which do not have formal ATTCK designations describe why that technique worked For example if the attackers infiltrated the network through an external remote service such as a VPN that would be how they got in But the root cause why that technique worked was likely due to compromised stolen credentials  in MITRE ATTCK terminology Valid Accounts We would argue that in this example both External Remote Services and Valid Accounts provided initial access with compromised credentials acting as a root cause While the two often line up we still like to separate them so we can better understand how the attack succeeded which informs remediation and defenseppAs has been the case for every Active Adversary report so far External Remote Services T1133 was the leading initial access method In 65 of cases some sort of remote access technology facilitated the intrusion be that a VPN device or an exposed Remote Desktop Protocol RDP service the attackers had a target of opportunity All that remained was figuring out how to take advantage of this opportunityppOne way to exercise that opportunity is by using Valid Accounts T1078 Over threequarters 77 of attacks saw compromised credentials as an initial access method and over half 56 as a root cause In most cases we dont know how the accounts were compromised but we do know that the attackers walked through the front door using a valid username and passwordppIt turns out that most cases in 2023 saw that pairing of initial access and compromised credentials We noted in our previous report that compromised credentials had rocketed to the top of the Root Cause charts in the first half of 2023 Now that we have a complete dataset for 2023 we see that the trend holds nearly doubling last years totalppppFigure 11 The astonishing rise of compromised credentials as a root cause of attacks vaulted the largely avoidable problem to the top of the alltime charts as well as 2023sppWhat makes this worse is the woeful state of credential hardening In 43 of investigations multifactor authentication MFA was not configured As a reminder MFA is technology thats nearly three decades old at this point one of the founding patents literally gives an implementation example involving twoway pagersppThe remaining root causes for attacks involving remote services were brute force attacks 6 unknown 3 phishing 3 and exploits 2ppConsidering compromised credentials ascendency plain old vulnerability exploitation has therefore slipped to second place As we have written previously this isnt irrefutable evidence that attackers have gone off using vulnerabilities Maybe there werent as many easily exploitable vulnerabilities as there were in previous years Or maybe initial access brokers had a lot of inventory on their hands that they wanted to get rid of cheaply Whatever the case attackers will choose the path of least resistance and for 2023 that meant using compromised credentialsppBeyond the top three since its debatable how useful unknown as a category is to investigators even when the contributors to the category are known the remaining identified root causes brute force attack phishing supply chain compromise maldocs adware and authentication token theft accounted for a combined 14 of findings The Unknown category is the third most common reason for both initial access and root cause and the biggest contributor in both cases was missing telemetry Whether the logs were cleared by the attackers or worse not configured our investigators were unable to determine key aspects of the attack Frankly in 2023 compromised credentials and exploited vulnerabilities were the ball gameppWith the adversary landscape in a relatively calm period at this writing lets take a moment to think about as the Active Adversary report team often says how we know what we know To be sure were getting the maximum good out of all the data we offer in these reports lets talk about statistics and what they can show or hide Well first examine the remarkable drop in dwell times that we covered throughout 2023 to see what else we might learn from one more look at those numbers Next well look at timetoActive Directory a statistic we started monitoring only last year to see how analysis helps us see that picture as it develops After that well examine a topic where lack of crucial data leaves researchers in an awkward position and close this section with a look at a statistic that fell unexpectedly out of the dataset in the middle of last year and still has us asking questionsppWhen we published our first Active Adversary report in 2021 based on 2020 data dwell time was one of those measures that sparked a lot of interest Back then we were used to thinking about dwell time in weeks and months but we were able to show that the median dwell time specifically for incident response cases was measurable in days ppIn the next report based on 2021 data we saw dwell time rise and attributed this to the emergence of Initial Access Brokers IABs which provided a buffer between the earliest compromise and the eventual attackppThen the decline started by a bit in 2022 then by a lot in 2023 The first quarter of 2023 which included data through the end of 2022 was business as usual with dwell time equaling that of the previous year By the time we released our final report in 2023 which included Q1Q3 data dwell time had halved By the time we wrapped up the year things had stabilized As is often the case understanding the details is importantppFigure 12 The dwelltime numbers wobbled a bit throughout 2023 but still landed firmly below the previous median dwell time of 10 daysppOne reason we choose to look at dwell time and many other measures using its median value is to reduce the impact of outliers For example in 2022 we had a case with a legitimate dwell time of 955 days If we compare this dataset with one that omits that case the mean reduces by a little over 6 days but the median is unaffectedppFigure 13 A single extraordinary outlier in the dataset can cause outsized distortion in the numbers which is why we like to look at median valuesppAnother value that we track but dont usually draw much attention to is the standard deviation of a dataset Put simply the standard deviation measures the spread or variability of data from its mean Using the dataset in Figure 13 as an example we also experience a dramatic lowering of the standard deviation in dwell time from 9532 days to 5811 days when we omit the outlier In other words the set of values that make up the data are closer to the meanppThe problem with some outliers is that they can obscure patterns in the data With this in mind we examined the dwell time data for the past three years while controlling for the outlier in 2022 as shown aboveppFigure 14 Having eliminated the effect of the outlier from the 2022 data the yeartoyear trend of decreasing dwell times becomes clearppWe posited in a previous report that shrinking dwell times were likely due to several factors including increased detection capabilities and that attackers have likely sped up in responseppIn addition to shrinking median dwell time we also observed as we see in Figure 14 the remaining values declining despite similarly sized populations Things get even more interesting when we separate ransomware from all other attack typespp ppFigure 15 Again with the 2022 outlier dismissed from the data we see that the decrease in dwell times applies to both ransomware infections and to a lesser extent all other attack typesppIt makes intuitive sense that ransomware attackers would spend less time than other types of attackers inside networks Today it seems some of these attackers rely less on individual payouts and more on volume This is apparently working out for them according to statistics published earlier this year by Chainalysis payouts for 2023 likely surpassed 1 billion USD The attacks themselves can be noisy especially when payloads are introduced into the network In contrast web shell implants and coin miners are meant to be stealthy and persistentppMeasuring dwell time and commenting on its meaning has been a fixture of this report since its inception Weve included it here for completeness but like many aspects of the threat landscape and attacker behavior we think dwell time has reached stasis It is unlikely that these dwell time values will change dramatically in the short term Like ransomware prevalence there might be some variability from year to year but the overall trend will remain stable and it will of course never reach zeroppDwell time is a lagging indicator It can only be calculated after the intruders have been discovered One way to shrink dwell time is to detect intrusions sooner and there are other timebased indicators that can help defenders spot suspicious activity in the network if of course youre watching for that sort of thingppIn 2023 to better understand attacker timelines we started capturing the timetoActiveDirectory AD metric What we found is that the median timetoAD for all attacks in 2023 was 064 days The earliest timetoAD was 2890 days while the longest was 28145 days This contrasts with the time difference between getting access to an AD server and when the attack is detected Here we saw a median of 202 daysppWhere available we also recorded the operating system version of affected AD servers This can be significant since Microsoft steadily improves the baseline security of AD over subsequent releases We found that 90 of AD servers were running Windows Server 2019 which exited mainstream support in January 2024 or earlier versions The case dataset included three deployments of Windows Server 2008 We further noted that 79 of AD servers were protected only with Windows Defender and at least two servers had no protection whatsoeverppSometimes as all researchers will tell you what looks interesting in a smaller dataset gets overturned by examining a larger one Since no good deed goes unpunished we went back to collect the timetoAD data from the 152 cases investigated in 2022 so we could understand the bigger picture and compare the values As it was for dwell time the 2022 median timetoAD was 134 days more than double the median for 2023 The earliest timetoAD was 20829 days yes a negative number in that case the customer experienced an AD compromise that long predated other artifacts related to their network breach and the longest was 14064 days In 2022 98 of AD installations were Windows Server 2019 or earlier and 69 were protected with Windows DefenderppArmed with the knowledge that some attackers are making a mad dash for Active Directory servers we must be prepared to detect them posthaste Part of that preparation includes having the right solutions in place to detect suspicious activity the people available to investigate suspicious signals and the necessary telemetry to determine what happenedppMoving past the necessary grind of statistics we turn our attention now toppData theft is another opportunity for detecting an intruder When faced with data exfiltration or data extortion time has already run out However when facing a ransomware attack there is still an opportunity to detect the intruders and evict them from the network before they proceed to the final actppAllcause data exfiltration occurred at roughly the same rate in 2023 as it did in 2022 We could confirm exfiltration in 40 of cases a further 14 had indications of possible exfiltration or of data staging an activity one would expect to see in the course of an exfiltration attempt The previous year saw 43 confirmed exfiltrations with an additional 9 determined as possible data theftppAnother area where missing logs hampers investigations is in determining whether exfiltration has occurred In 42 of cases incident responders were unable to determine from the available evidence whether any exfiltration had occurred This was largely due to there being no evidence available for responders to confirm or deny whether exfiltration happened Breaking it down further of the 55 cases lacking sufficient evidence 29 cases 53 were missing logs and an additional 6 cases 11 had logs erased by the attackersppFor ransomware attacks we could confirm data exfiltration in 44 of cases with an additional 18 showing possible data exfiltration or data staging Unfortunately we were unable to determine if data was stolen in 30 of cases Of those cases 69 were hampered by missing logs with 56 due to missing logs and 13 due to cleared logsppAlarmingly 72 of network breach investigations found no evidence of data exfiltration More than half of the missing evidence was due to missing 43 or deleted 14 logsppThere is an inverse relationship between timetoAD and data theft Where attackers rush to get access to AD the data exfiltration component of a ransomware attack appears to come at the end of the campaign For example in the 2023 data the median time between the start of the attack and the deployment of a ransomware payload in a confirmed exfiltration was 376 days In contrast the time between exfiltration and deployment was 06 daysppAs with timetoAD this metric is only useful if an organization has the necessary elements in place to detect and respond to a data exfiltration event If exfiltration is the ultimate goal of the attackers the organization can quickly determine their exposure and begin the process of notifying regulators and other stakeholders As governments around the world increase their rules and regulations concerning data breaches victim organizations will need to respond in kind If the exfiltration event is a precursor to a ransomware attack detecting a data exfiltration event could mean the difference between a bad day at the office and a very bad day in the newsppOne of the most surprising results from our data analysis for the midyear report in 2023 was a strong pattern in the local time of day when ransomware was deployed For that report the dataset included all cases from the first half of 2023 Analysis showed that 91 of ransomware payloads were deployed outside of traditional business hours As we did for timetoAD we eagerly awaited the fullyear data to see if the results would be upheld by a bigger dataset since as noted above larger datasets often expose biases in data and effects can get watered down While we waited we reexamined the data and corrected for countries where business days are not traditionally Monday to Friday The original analysis assumed the workweek to be five standard working days of 8am to 6pm Monday through Friday the weekend was held to be the period between 6pm on Friday and 12am on MondayppWhile there was a small correction applied by doubling the dataset we found that 90 of ransomware deployments were deployed outside of business hours in 2023 A total of 11 attacks were launched during local business hours in the workweekppSince we were already reanalyzing cases for timetoAD we also attempted to capture the ransomware deployment time for 2022 What we found was that 94 of ransomware deployments occurred outside of business hours Only six cases fell within office timeppWhile we wont consider these results definitive we dont have visibility into every ransomware attack we can pronounce with high confidence that ransomware deployments are most prevalent outside of traditional business hours When looking at both 2022 and 2023 92 of ransomware attacks support this findingppOne thing we can conclude by analyzing attacker timelines is that time can be on our side during an attack Despite shrinking dwell times defenders still have a median 6 days to detect an intruder However these times change dramatically when a motivated actor strikes In the case of ransomware in 2023 the median time shrinks to 5 days versus 10 days for all other attack typesppIn addition there are signs along the way that can alert defenders to a potential danger lurking in the network Immediately detecting an intruder on an Active Directory server can mean stopping an attack in less than 24 hours Spotting a data exfiltration event can prevent an even more devastating outcomeppWe know that through years of practice many ransomware criminals have honed their skills But this is not a oneway battle Defenders can also sharpen their skills by practicing response playbooks and as this section has shown by the true understanding of what the statistics are sayingppTurning our attention from the statistics to the usual examination of tools and tactics techniques and procedures TTPs analyzing this years crop evokes strong feelings of déjà vu We observed the same items in each top five albeit in slightly different orders yearonyear Its not until we look past the top ten that we start seeing variability Nowhere is this stasis more apparent than in the tools used and abused by attackers in the past three years In both the detected tools and Microsoft binaries the top ten are nearly identical Its almost as if the attackers arent being challenged and can simply reuse the same tools and TTPs ad infinitumppFigure 16 SoftPerfect Network Scanner leads the list of artifacts spotted in 2023 IR cases displacing Cobalt Strike from the perch it has held since the start of the Active Adversary Report series however Cobalt Strike still leads the alltime occurrence listppDespite the top tools being similar yearonyear there is one trend that might signal a change in attacker behavior Cobalt Strike the longstanding leader has seen its share decline steadily in the past three years While it still maintains the top spot in the alltime rankings by absolute count the percentage of attacks using a Cobalt Strike payload has declined significantly in the period from 2021 to 2023 the share of Cobalt Strike has gone from 48 to 27 A potential reason for this is that Cobalt Strike has been so heavily abused that we have become very adept at detecting and blocking itppThe overall leader this year was SoftPerfects Network Scanner which is routinely abused by attackers to map out networks and discover potential targets Weve seen abuse of this software for many years and its utility hasnt gone unnoticed by the attackers Another frequently abused albeit legitimate application is AnyDesk the popular tool for administrators to manage their endpointsppOne interesting element of the top 10 is that 50 of the tools facilitate data exfiltration Both 7zip and WinRAR again tools with legitimate uses but abused by attackers are routinely used to create archives that enable and potentially obfuscate data theft while the others enable the collection and transfer of said archives Unfortunately many organizations still dont have a firm enough grasp on what normal looks like so they miss large transfers of data leaving their network As an example the MEGA cloud storage service is all too often abused by data exfiltrators if you have traffic either coming from or going to MEGA and you have no preexisting business relationship with the company thats worth investigatingppAn interesting side note is the incidence of the tool Impacket in our dataset As described by the maintainer of the project Impacket is a collection of Python classes for working with network protocols As this is a collection of tools we record their individual use eg Impacketatexec Impacketsecretsdump Impacketsmbproxy etc to better understand how each is used in an attack However if we roll all the individual tools into one Impacket data point a significant result emerges All uses of Impacket in 2023 counted together would rank sixth in the artifacts listppWith few exceptions most of the tools in this category are prime candidates for monitoring and blockingppFigure 17 RDP continues to rule the MSLOLBin roost with PowerShell the constant runnerupppRemote Desktop Protocol RDP is once again the most abused of all the Microsoft LOLBins livingofftheland binaries We wont spend much time discussing RDP in this report instead please see our special supplemental coverage which goes into both statistics and recommendations for dealing with the protocol but we do think its on track for a lifetime achievement award RDP abuse has reached new heights with 90 of attacks using it for internal lateral movement and 20 for external remote access As for the 18 of organizations who still have RDP exposed to the internet you should ask yourself My God what have I done To find out how that has worked out for one Sophos customer keep reading this reports Case Study section is just ahead At publication time there were approximately 4 million exposed RDP systems on the internetppppFigure 18 In 2023 nine out of ten attacks handled by our IR team included evidence of RDP abuseppSetting RDP aside PowerShell continues to power many attacks due to its ubiquity privilege flexibility and usefulness It is difficult to argue for its removal from networks therefore the only option is to strictly monitor and control it Strategies for using PowerShell safely and securely include but are not limited to logging all PowerShell activity applying the principle of least privilege to which accounts can run scripts running the latest version and enabling constrained language modeppThe rest of the binaries in this list are used for various purposes including execution persistence defense evasion discovery and lateral movement Having visibility into all your devices and the capacity to act when necessary is a requirement for todays defendersppFigure 19 A traditionally more volatile category than either Artifacts or LOLBins the catchall Other category has been led for two years now by Valid Accounts it was preceded in 2020 and 2021 by Malicious ScriptsppThe techniques and other indicators that we observed this past year are also very much standard operating procedure for many attacks This section of our findings data is usually where we see the most variability For example we use this category to track specific exploits that are being used in the wild and those often change from year to year but those mostly make up the long 200 tail of this dataset Front and center are techniques and observations that contribute to the fog of war that surrounds many investigationsppA few words about missing and cleared logs a topic well tackle more fully in a later Active Adversary publication Attackers have become adept at disabling protection and clearing their tracks This concerted effort to blind defenders is usually in the service of remaining undetected However there are unintended consequences to disabling protection that can be to a defenders advantage A telemetry signal going dark should be a beacon that something is happening in the environment which requires immediate attentionppNever mind attackers trying to blind us in many cases were blinding ourselvesppIn 2023 we started capturing the incidence of missing telemetry since the data showed that this was the case in 54 of attacks we investigated What was most surprising was how prevalent this new metric turned out to be In its first year of AAR scrutiny it cracked the top 10 in our alltime ranking While there were several reasons why the logs were unavailable in most cases it was because organizations hadnt taken the necessary steps to ensure they would be there when it mattered mostppAnd as if the overwhelming amount of credential compromise wasnt enough 43 of organizations had neglected to enable MFA on their external services There is no other way to put this When a solution exists that can stop an attacker in their tracks and it is not implemented it is willful negligence  In the final section of our report well look at how that worked out for a specific MDR customerppOver and over in the Active Adversary report series weve repeated three fundamental security principles basic hygiene for defenders Here they are again in largeprint haiku formppWhy do we keep hammering away at this Because these three security tenets still arent universally adopted and we see the results  One particular MDR customer last year learned this the hard way falling victim to compromise four times within a sixmonth period With business requirements preventing the customer from addressing the root cause the attacker gained initial access through the same vector each time brute force attacks against exposed RDP ports Weve changed some of the details to protect the customers identity but we offer a year in the life of their story to encourage our readers to avoid this fate by prioritizing basic security hygieneppDecember 2022 prologue Initial access occurred via successful brute force attacks against multiple exposed RDP ports The attacker leveraged multiple PowerSploit modules and Rubeus tooling to compromise authentication before dropping a number of malicious binaries and downloading an EDRkiller tool Sophos MDRs response actions quickly contained the threat However the customer declined the MDR recommendation to restrict access to exposed RDP ports citing business needsppRecommendations After this case MDR recommended the customer close various RDP ports exposed to the internet the customer declined citing business needs A recommendation for domainwide credential reset was not addressed a patching recommendation was likewise unaddressedppSummer 2023 Initial access was again achieved through successful brute force attacks against exposed RDP ports The attacker then created and leveraged the opensource PAExec tool to run Nltest commands to enumerate domain controllers within the estate Following enumeration the attacker moved laterally and modified registry values to enable Remote Desktop connections allow unsolicited remote assistance requests and disable Network Layer Authentication for RDPppRecommendations After this case MDR reiterated the earlier recommendation that the customer close the exposed RDP ports and also recommended that the customer enable multifactor authentication especially if the RDP ports were still required to be exposed The client again declined the port recommendation and stated that MFA options were under business reviewppThrough December 2023 About five months later a welter of attacks hit at approximately twoweek intervals each triggering a fresh round of response engagements Initial access each time was achieved by brute force against exposed RDP Once again following initial access the attackers performed enumeration moved laterally and modified registry settings to reduce restrictions on RDP access Response actions were taken swiftly however investigators found a publicly exposed employee web portal with no MFA Meanwhile six ports first identified a year earlier were still exposed to the internet Despite MDRs persistent recommendations internal business requirements continued to prevent the customer from implementing the appropriate security measures leaving them vulnerable to ongoing targeting by threat actors using brute force attacksppJanuary 2024 Two weeks later the customer greeted the new year with another attack via the same open ports The timeframe of this report ends here but in all likelihood the attacks on the customer did not The customers business requirements do not allow them to restrict access to exposed RDP nor have they enabled MFA under those circumstances theres not much barrier to wave upon wave of further attacks nor much further advice incident responders can offer themppRisk acceptance is up to every organization individually there is no onesizefitsall for risk management However when the risk as accepted leaves you continually fighting fires in all directions its probably time to reassess  No matter how much the rest of your defenses are tightened without following basic security principles the organization will persistently be left defending against threat actors whose initial access could have been stopped at the first hurdleppLooking back on 2023s data we are left with a feeling that not enough is being done to protect organizations from harm Sure some businesses may have the necessary protections in place but no one is paying attention Often the sole differences between organizations that are breached and ones that arent are 1 the preparation entailed by selecting and putting the proper tools in place and 2 the knowledge and readiness to act when requiredppRansomware attacks have reached a stasis point with respect to prevalence tooling and timelines Unfortunately we are also still seeing the same mistakes being made by defenders every year Its with this in mind that we think organizations need to urgently participate in their own rescue No industry product or paradigm is perfect but were still fighting yesterdays battles with too often the day before yesterdays weaponry Most of the tools and techniques described in this report have solutions or at the very least mitigations to limit their harm but defenses are simply not keeping upppStolen credentials and unpatched systems should be a statistic from a bygone era Unprotected systems overprivileged users and uncontrolled applications are problems that have solutions Missing telemetry may not be entirely the fault of the victims determined attackers will continue to make defenders work harder by interfering with that but insufficient logging or no logging at all is an unintended oversight at best and a deliberate failure to act at worst These are all unforced errors and they must stop nowppA retrospective analysis such as this especially during a relatively quiet moment in the struggle is an opportunity to learn from previous mistakes It can be tempting to look at our failings and get angry that we arent progressing like we should We say Dont look back in anger look forward to how you can make positive change today for a better tomorrowppMDRs Hilary Wood coauthored this reports case study You got another thing comin and another and another Lee Kirkpatrick contributed the Active Adversary Special Report on RDP Remote Desktop Protocol The Series to which this report makes extensive reference The authors wish to thank Chester Wisniewski for his insights during the analysis process Figure 6 was excerpted with thanks from work released in 2023 by World Watch Global CERT Orange Cyberdefense Special acknowledgement for Figure 7 which is the work of the late Vitali Kremez He is greatly missedppAs we put together this report we chose to narrow our focus to 154 cases that could be meaningfully parsed for useful information on the state of the adversary landscape as of the end of 2023 Protecting the confidential relationship between Sophos and our customers is of course our first priority and the data you see here has been vetted at multiple stages during this process to ensure that no single customer is identifiable through this data and that no single customers data skews the aggregate inappropriately When in doubt about a specific case we excluded that customers data from the datasetppppFigure A1 Around the globe and up your street its the Sophos XOps IR teamppThe full list of nations and other locations represented in the 2023 report data is as followspp ppThe full list of industries represented in the 2023 data for this report is as followspp ppThe data in this report was captured over the course of individual investigations undertaken by Sophos XOps Incident Response team For this initial report of 2024 we gathered case information on all investigations undertaken by the team in 2023 and normalized it across 43 fields examining each case to ensure that the data available was appropriate in detail and scope for aggregate reporting as defined by the focus of the proposed reportppWhen data was unclear or unavailable the authors worked with individual IR case leads to clear up questions or confusion Incidents that could not be clarified sufficiently for the purpose of the report or about which we concluded that inclusion risked exposure or other potential harm to the Sophosclient relationship were set aside We then examined each remaining cases timeline to gain further clarity on such matters as initial ingress dwell time exfiltration and so forth We retained 154 cases and those are the foundation of the reportppJohn Shier is a Field CTO at Sophos John is a popular presenter at security events and is wellknown for the clarity of his advice even on the most complex security topics John doesnt just talk the talk he also gives handson technical support and product education to Sophos partners and customersppAngela Gunn is a senior threat researcher in Sophos XOps As a journalist and columnist for two decades her outlets included USA Today PC Magazine Computerworld and Yahoo Internet Life Since morphing into a fulltime technologist she has focused on incident response privacy threat modeling GRC OSINT and security training at companies including Microsoft HPE BAE AI and SilverSkyppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp Save my name email and website in this browser for the next time I commentpp

ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime p