In its new Active Adversary Report 2024, Sophos reveals the wolf in sheep's clothing: Cyber criminals are increasingly relying on trustworthy Windows applications for their attacks. Criminal use, commonly referred to as "Living Off the Land" binaries, is increasing by 51 percent. Lockbit is the number 1 ransomware despite government intervention.
Sophos' new Active Adversary Report, titled "The Bite from Inside," provides a detailed look at how attackers' behaviors and techniques have changed in the first half of 2024. The analysis data comes from nearly 200 incident response cases handled by the Sophos X-Ops IR team and Sophos X-Ops Managed Detection and Response team in the first six months of 2024.
Abused Windows tools are less noticeable
🔎 The increase in abused Windows tools and applications (LOLbins) in 2024 is clear (Image: Sophos).
The most important finding of the current research: Attackers are increasingly using trusted applications and tools on Windows systems for their activities - also known as "Living Off the Land" binaries (LOLbins). Cybercriminals want to avoid rapid detection and sneak around a compromised IT infrastructure for as long as possible. Compared to 2023, Sophos recorded an increase of 51 percent here, and even 83 percent since 2021.
Among the 187 different Microsoft LOLbins that were illegally misused in the first half of 2024, the Remote Desktop Protocol (RDP) was the most abused trusted application. Of the nearly 200 incident response cases analyzed, attackers exploited RDP in 89 percent. This dominance continues a trend first observed in the 2023 Active Adversary report, where RDP abuse accounted for 90 percent of all IR cases examined.
Remote Desktop Protocol (RDP) most abused
"LOLbins not only provide a way to hide an attacker's activities, but unfortunately often imply tacit approval of their activities," said John Shier, Field CTO at Sophos. "While the misuse of other legitimate tools often raises alarm bells for defenders, the misuse of a Microsoft binary often has the opposite effect, as it is an integral part of Windows and has legitimate uses.
In order to quickly identify abuse, it is extremely important that system administrators know exactly how these files are used in their environments. Without a nuanced and contextual awareness of the IT environment, including continuous vigilance for new and evolving events on the network, the often overburdened IT teams run the risk of overlooking important threat activities. One solution here can be a modern managed detection and response service that brings external experts on board and relieves the burden on IT teams."
Key findings from the Active Adversary Report
- Lockbit is still number 1. Despite government interventions against the main leak website and its infrastructure, LockBit was the most prevalent ransomware group in February, accounting for about 21 percent of infections in the first half of 2024.
- The main gateway continues to be compromised access data. This continues a trend which was first identified in the Active Adversary Report for Tech LeadersCompromised credentials are still the main cause of attacks in 39 percent of cases, but this is down from 56 percent in 2023.
- Older Active Directory servers are the main targets for compromise. 87 percent of attackers have compromised Active Directory server versions from 2019, 2016 and 2012. All three of these versions no longer receive mainstream support from Microsoft - so they are one step away from end-of-life (EOL) where no patch is possible without paid support from Microsoft.
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.