Despite Government Disruption, LockBit Dominated Incident Response Cases in First Half of 2024
Sophos, a global leader in cybersecurity innovation and service delivery, has published its latest findings in “The Bite from Inside: The Sophos Active Adversary Report.” This comprehensive report examines the evolving attack behaviors and techniques observed during the first half of 2024. Drawing insights from nearly 200 incident response (IR) cases handled by the Sophos X-Ops IR and Managed Detection and Response (MDR) teams, the report highlights a 51% rise in the abuse of “Living off the Land” binaries (LOLbins) compared to 2023, marking an 83% increase since 2021. These trusted Windows tools are exploited by attackers to perform system discovery and maintain stealthy persistence.
Among the 187 unique Microsoft LOLbins identified, Remote Desktop Protocol (RDP) emerged as the most commonly abused, featuring in 89% of analyzed cases—a continuation of trends noted in Sophos’ 2023 report, where RDP misuse was observed in 90% of incidents.
“Living-off-the-land tactics grant attackers both stealth and a semblance of legitimacy,” said John Shier, Sophos Field CTO. “While some legitimate tools may trigger alerts, Microsoft binaries often bypass scrutiny due to their essential role in Windows operations. To mitigate risk, system administrators must understand their environment’s baseline usage and remain vigilant to potential abuse. Without this nuanced awareness, stretched IT teams may overlook critical threat activities that lead to ransomware.”
The report also revealed that, despite government action against LockBit’s leak infrastructure in February, the ransomware group remained the most prevalent, responsible for 21% of infections in the first half of 2024.
Key Findings from the Report:
- Root Cause of Attacks: Compromised credentials remain the leading cause, accounting for 39% of cases, though this marks a decline from 56% in 2023.
- Network Breaches in MDR Cases: The Sophos MDR team primarily encountered incidents involving network breaches.
- Shorter Dwell Times with MDR: The median dwell time for incidents was eight days for the IR team but just one day with MDR services, and three days specifically for ransomware attacks.
- Compromised Active Directory Servers: The most frequently targeted Active Directory (AD) servers were 2019, 2016, and 2012 versions—many nearing or already in their end-of-life (EOL) phase. Notably, 21% of compromised AD servers were beyond mainstream Microsoft support, heightening vulnerability.
For a detailed breakdown of attacker tools, techniques, and trends, visit Sophos.com to read “The Bite from Inside: The Sophos Active Adversary Report.”
