Cybercriminals are using applications and tools recognized as “trusted” in Windows systems – binary called living off the land (Lolbins) – To perform explorations in the systems and maintain persistence, and Lolbins’ abuse has increased 51 % in 2024, compared to 2023 (and 83 % since 2021). This was announced by an analysis of the cybersecurity services company Sofos, entitled “The bite from within: the Sophos report on active adversaries“.
Among the 187 unique Lolbins of Microsoft detected in the first half of the year, the most commonly used reliable application was the remote desktop protocol (RDP); In the analysis of almost 200 cases of IR, the attackers abused RDP in 89 % of them. This trend continues that observed in the 2023 active adversaries report, in which RDP abuse was detected in 90 % of the cases investigated.
“The use of tools living-off-the-land Not only does it offer stealth to the activities of an attacker, but also tacitly validate these actions. While the abuse of some legitimate tools can raise suspicions and generate alerts, the abuse of a Microsoft binary usually has the opposite effect. Many of these Microsoft tools are fundamental to Windows and have legitimate uses, but it depends on systems administrators to understand how they are used in their environments and what constitutes abuse. Without a contextual and nuanced awareness of the environment, including continuous surveillance of new events in the network, overload IT teams are at risk of not detecting key activities that often derive in ransomware, ”says John Shier, field cto in Sofos.
-In addition, the report discovered that, despite the disarticulation by the government of its main website of filtrations and infrastructure in February, Lockbit was the most frequently found ransomware group, representing approximately 21 % of infections in the first half of 2024.
Other key findings of the Active Adversaries Report were:
- Root of attacks: Continuing with the trend observed in the previous report for technological leaders, compromised passwords remain the main root cause of attacks, representing 39 % of cases. However, this represents a decrease compared to 56 % registered in 2023.
- Network gap domain in MDR: In cases managed by the MDR team of Sofos, the network gaps were the most common incident found.
- Shorter times of permanence in MDR: In cases managed by the Sophos incident response team, the time of permanence (time from the beginning of an attack to its detection) remained in approximately eight days. On the other hand, with MDR, the average permanence time was only one day for all types of incidents, and three days for ransomware attacks.
- Active Directory servers committed to the end of their useful life: The most frequently committed active directory servers were the 2019, 2016 and 2012 versions. These versions no longer have the main support of Microsoft and are close to the end of their useful life (EOL). In addition, 21 % of committed AD servers were already in EOL state.
The SOFHOS report was based on data collected from almost 200 cases of response to cybersecurity (IR) incidents made by SOFHOS X-OPS IR and SOFHOS X-OPS MANAGED Detection and Response (MDR) SOFHOS EQUIPMENT (MDR).
