{"id":36600,"date":"2022-06-08T05:40:00","date_gmt":"2022-06-08T05:40:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/archives\/36600"},"modified":"2022-06-08T05:40:00","modified_gmt":"2022-06-08T05:40:00","slug":"proxylogon-proxyshell-may-have-driven-increase-in-dwell-times","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=36600","title":{"rendered":"ProxyLogon, ProxyShell may have driven increase in dwell times"},"content":{"rendered":"<div><img decoding=\"async\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2022\/06\/proxylogon-proxyshell-may-have-driven-increase-in-dwell-times.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Mass exploitation of the <a href=\"https:\/\/www.computerweekly.com\/news\/252497200\/Emergency-patch-addresses-MS-Exchange-Server-zero-days\">ProxyLogon<\/a> and <a href=\"https:\/\/www.computerweekly.com\/news\/252505767\/Half-of-MS-Exchange-servers-at-risk-in-ProxyShell-debacle\">ProxyShell<\/a> vulnerabilities in Microsoft Exchange Server by so-called initial access brokers (IABs) seems to have driven a substantial increase in median dwell times, which rose by 36% in 2021 from 11 days to 15, according to the latest edition of Sophos\u2019s <em><a href=\"https:\/\/news.sophos.com\/en-us\/2022\/06\/07\/active-adversary-playbook-2022\/\">Active Adversary Playbook<\/a><\/em>.<\/p>\n<p>The report, which details attacker behaviours observed by Sophos\u2019s rapid response team, explores how <a href=\"https:\/\/www.computerweekly.com\/news\/252504860\/Initial-access-brokers-unaffected-by-ransomware-content-bans\">IABs<\/a>, which specialise in conducting initial compromises of victim network environments before selling their access on to other cyber criminals, including ransomware operators, are coming to form a \u201cvital\u201d part of the underground criminal economy.<\/p>\n<p>\u201cThe world of cyber crime has become incredibly diverse and specialised. IABs have developed a cottage cyber crime industry by breaching a target, doing exploratory reconnaissance or installing a backdoor, and then selling the turnkey access to ransomware gangs for their own attacks,\u201d said John Shier, senior security advisor at Sophos.<\/p>\n<p>\u201cIn this increasingly dynamic, speciality-based cyber threat landscape, it can be hard for organisations to keep up with the ever-changing tools and approaches attackers use. It is vital that defenders understand what to look for at every stage of the attack chain, so they can detect and neutralise attacks as fast as possible.\u201d<\/p>\n<p>Shier explained that for an IAB, being successful hinges on being first at the crime scene, which means such actors tend to be all over newly reported or disclosed vulnerabilities so they can break in before their victims have a chance to patch.<\/p>\n<p>They then go to work securing a foothold and maybe conducting some exploratory movement to find out more about their victims, before making a sale to someone else \u2013 usually a ransomware operator.<\/p>\n<blockquote class=\"main-article-pullquote\">\n<p><figure> \u201cThe world of cyber crime has become incredibly diverse and specialised. It is vital that defenders understand what to look for at every stage of the attack chain, so they can detect and neutralise attacks as fast as possible\u201d <\/figure><figcaption> <strong>John Shier, Sophos<\/strong> <\/figcaption><i class=\"icon\" data-icon=\"z\"><\/i> <\/p>\n<\/blockquote>\n<p>This process clearly takes a little while \u2013 it can be months or even longer \u2013 so higher dwell times likely reflect the involvement of IABs.<\/p>\n<p>Shier said that in the case of ProxyLogon and ProxyShell, it was highly likely there were a great many breaches that are currently unknown, where web shells and backdoors have been quietly implanted and are now sitting inert, waiting to be \u201csold\u201d.<\/p>\n<p>\u201cThe red flags that defenders should look out for include the detection of a legitimate tool, combination of tools, or activity in an unexpected place or at an uncommon time. It is worth noting that there may also be times of little or no activity, but that doesn\u2019t mean an organisation hasn\u2019t been breached,\u201d said Shier.<\/p>\n<p>\u201cDefenders need to be on the alert for any suspicious signals and investigate immediately. They need to patch critical bugs, especially those in widely used software, and, as a priority, harden the security of remote access services. Until exposed entry points are closed and everything that the attackers have done to establish and retain access is completely eradicated, just about anyone can walk in after them, and probably will,\u201d he said.<\/p>\n<p>The report also highlighted a related trend that now seems to be emerging, whereby multiple actors, including IABs, cryptominers and ransomware gangs \u2013 even multiple ransomware gangs \u2013 obtain access to the same organisation simultaneously. This is a trend that Shier predicted would shape the threat landscape during 2022.<\/p>\n<p>\u201cWith opportunities from unpatched ProxyLogon and ProxyShell vulnerabilities and the uprise of IABs, we\u2019re seeing more evidence of multiple attackers in a single target. If it\u2019s crowded within a network, attackers will want to move fast to beat out their competition,\u201d said Shier.<\/p>\n<p>The <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/06\/07\/active-adversary-playbook-2022\/\"><em>Active Adversary Playbook<\/em><\/a> is based on data collated by Sophos teams from nearly 150 incidents targeting organisations of all sizes, in multiple industries, around the world.<\/p>\n<p>However, other data sources do differ. A similar study of incidents to which Mandiant responded, released earlier in 2022, <a href=\"https:\/\/www.computerweekly.com\/news\/252516081\/Median-threat-actor-dwell-time-dropped-during-2021\">suggested precisely the opposite<\/a> \u2013 that dwell times have decreased. As ever, the truth of a murky situation likely lies somewhere between the two.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mass exploitation of the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server by so-called initial access brokers (IABs) seems to have driven a substantial increase in median dwell times, which rose by 36% in 2021 from 11 days to 15, according to the latest edition of Sophos\u2019s Active Adversary Playbook. The report, which details attacker [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":36601,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-36600","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36600"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36600\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/36601"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36600"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}