Ransomware continues to be the most common “end game” scenario in a cyber attack, accounting for 68.4% of all incidents to which the Sophos X-Ops incident response (IR) team responded in 2022, according to data drawn from the supplier’s latest Active adversary report for business leaders, an in-depth look at the evolving attack techniques and behaviours of threat actors.
Although the exponential growth rate of ransomware attacks observed for the past few years tapered off somewhat last year – for a number of reasons, not least the impact of the Ukraine war on Russia’s criminal ecosystem – it remains vastly more common than all other forms of attacks, according to Sophos. In comparison, the second most common incident type – simple network breaches without a ransomware element – accounted for just 18.4% of incidents.
Sophos said ransomware would always loom large in the overall statistics, given it is a disruptive, noisy and visible form of cyber attack, and requires a good deal of expert help. The X-Ops team additionally noted that many of the network breaches they responded to had no clear motive, so may well have developed into ransomware incidents had they run their course.
Elsewhere, 4% of X-Ops responses related to incidents of data exfiltration and 2.6% to data extortion, usually hallmarks of a ransomware incident, but increasingly used as tactics by threat actors without encrypting data; 3.3% related to the deployment of malware loaders; 2.6% to the deployment of web shells; and 0.7% to the deployment of illicit cryptominers.
“The variety of different attack types in this year’s data showed a slight rise,” wrote the report’s author, John Shier, field chief technology officer for Sophos’s commercial business. “It may be that this diversity is due to attackers not achieving their end objectives. More companies are adopting technologies like EDR [Endpoint Detection and Response], NDR [Network Detection and Response] and XDR [Extended Detection and Response], or services like MDR [Managed Detection and Response], all of which allow them to spot trouble sooner.
John Shier, Sophos
“This, in turn, means they can stop an attack in progress and evict the intruders before the primary goal is achieved – or before another, more malignant intruder finds a protection gap first located by a lesser adversary. While a coinminer or a web shell on your network is still not acceptable, it is much better to detect and remediate threats such as these before they turn into full-blown ransomware attacks, or exfiltration, or extortion, or a reportable breach,” he observed.
Perhaps linked to this, the X-Ops team observed decreases in average attacker dwell times across the board, down from 11 days in 2021 to nine days in 2022 in ransomware incidents, and 34 days to 11 days in others, in the same timeframe.
Shier posited that this was again linked to effective defensive posture. “Organisations that have successfully implemented layered defences with constant monitoring are seeing better outcomes in terms of attack severity, [but] the side effect of improved defences means that adversaries have to speed up to complete their attacks,” he said.
“Therefore, faster attacks necessitate earlier detection. The race between attackers and defenders will continue to escalate and those without proactive monitoring will suffer the greatest consequences.”
Logging in, not breaking in
The X-Ops team’s latest data also reveals some insight into how threat actors are accessing their victims’ networks to begin with, and what else they are doing once they are inside.
The team found that unpatched vulnerabilities were the single most common access method – fully half of X-Ops’ 2022 investigations involved the exploitation of the Log4Shell and ProxyShell vulnerabilities. The next most common root cause of attacks was compromised credentials – as Shier put it, “when today’s attackers aren’t breaking in, they’re logging in”. This was followed by unknown access methods – which is troubling because when IR teams cannot identify the root cause, it makes remediation significantly harder – the use of malicious documents, brute force attacks and phishing.
In the course of its day-to-day work, the team also identified 524 unique tools and techniques that threat actors are using. Among them were 204 offensive or hacking tools, with use of the Cobalt Strike post-exploitation framework reliably the most popular, followed by AnyDesk, mimikatz, SoftPerfect’s Network Scanner, Advanced IP Scanner and TeamViewer.
Additionally, X-Ops found almost 120 living-off-the-land binaries (LOLBins), which are legitimate executables that are “naturally” occurring on operating systems and are then co-opted by malicious actors. This makes it considerably harder for security teams to spot – and block – them. PowerShell led the way in terms of LOLBin use, followed by cmd.exe, PSExec, Task Scheduler and net.exe. Remote Desktop Protocol (RDP) exploitation counts as a LOLBIn too, but was excluded from the sampling due to its “utter ubiquity”.
In general, Sophos advises that given the wide diversity of options in play, zeroing in on one of them is not going to help much – security teams should really try to limit the tools that are allowed to be present, limit what they can do, and audit all use of them. For example, Cobalt Strike should probably always be blocked, but some use of TeamViewer can be safely allowed on a highly controlled basis.
Similarly, blocking LOLBins outright is not useful as some of them are essential to daily running – security teams would be better off developing triggers for detection tools to catch activity involving them.
“The reality is that the threat environment has grown in volume and complexity to the point where there are no discernible gaps for defenders to exploit,” said Shier.
“For most organisations, the days of going it alone are well behind them. It truly is everything, everywhere, all at once. However, there are tools and services available to businesses that can alleviate some of the defensive burden, allowing them to focus on their core business priorities.”