2024 Sees Sharp Increase in Microsoft Tool Exploits

Security

Threat actors’ abuse of legitimate Microsoft tools rose by 51% in the first half of 2024 compared to 2023, according to Sophos’ latest Active Adversary Report.

The researchers observed 187 unique Microsoft Living Off the Land Binaries (LOLbins) used by threat actors in 190 cyber incidents analyzed in H1 2024. Over a third of them (64) appeared just once in the Sophos dataset.

LOLbins are abused-but-legitimate binaries already present on the machine or commonly downloaded from legitimate sources associated with the operating system. They are signed and unlikely to come to the attention of a system administrator when used in seemingly benign ways.

The most common Microsoft LOLbins used by attackers in H1 2024 was remote desktop protocol (RDP), with just under 89% of cases showing some indication of RDP abuse.

This was followed by cmd.exe (76% of cases), PowerShell (71%) and net.exe (58%).

John Shier, Field CTO, Sophos, explained that the use of Microsoft LOLbins is proving an effective method for attackers in gaining stealth on networks.

“While abusing some legitimate tools might raise a few defenders’ eyebrows, and hopefully some alerts, abusing a Microsoft binary often has the opposite effect. Many of these abused Microsoft tools are integral to Windows and have legitimate uses, but it’s up to system administrators to understand how they are used in their environments and what constitutes abuse,” Shier explained.

The report also found a modest 12% increase in the use and variety of artifacts on targeted systems in H1 2024 compared to 2023, from 205 to 230.

Artifacts are third-party packages brought onto the system illegitimately by attackers, such as mimikatz, Cobalt Strike and AnyDesk.

LockBit Remains Dominant Ransomware Operator

The report found that LockBit was the most dominant ransomware in H1 2024, making up around a fifth (21%) of incidents tracked.

This was a similar proportion to LockBit incidents tracked in 2023 (22%), despite the high profile disruption of the ransomware-as-a-service (RaaS) by law enforcement in Operation Cronos in February 2024.

“When it comes to attribution, the corollary between high-profile ransomware takedowns and diminished presence on our charts isn’t always as strong as one would hope,” the researchers noted.

The next most prominent ransomware strains were Akira (9%), Faust (7.5%) and Qilin (6%).

Overall, Sophos observed a decline in ransomware infections in H1 2024 compared to 2023. In 2023, 70% of cases handled by the firm involved ransomware, compared to 61.5% in H1 2024.

However, the company said that it expects the drop will not be as pronounced when the full year’s numbers are analyzed for 2024.

Read now: Five Ransomware Groups Responsible for 40% of Cyber-Attacks in 2024

Attackers Shift Away from Compromised Credentials

Compromised credentials was the most common root cause of attacks in H1 2024, identified in 39% of cases. This is a big drop from 2023, when 56% of all incidents had compromised credentials as their root cause.

Vulnerability exploitation was the next most common root cause in H1 2024, making up 30.5% of incidents. This is nearly double from 2023, when vulnerability exploitation was the cause of 16.2% of incidents.

The third most common root cause was brute force attacks, at 18.4%.

Image credit: tomeqs / Shutterstock.com

Products You May Like

Articles You May Like

HubPhish Exploits HubSpot Tools to Target 20,000 European Users for Credential Theft
Akira and RansomHub Surge as Ransomware Claims Reach All-Time High
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware
Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe
Sophisticated TA397 Malware Targets Turkish Defense Sector

Leave a Reply

Your email address will not be published. Required fields are marked *