Sophos’ Active Adversary Report highlights a disturbing rise in cybercriminal activity centered around the abuse of trusted applications and tools.
Commonly referred to as “living-off-the-land” (LoL), this tactic saw a 51% increase compared to 2023 and a staggering 83% growth since 2021.
These findings, derived from nearly 200 incident response cases, underline how attackers are exploiting legitimate applications to operate undetected.
The report outlines how cybercriminals leverage these trusted tools, also called “living-off-the-land binaries” or LOLbins, to infiltrate systems, maintain persistence, and avoid detection.
Because these applications serve legitimate purposes in many environments, their abuse often goes unnoticed, leaving systems vulnerable.
RDP Dominates the Abuse Landscape
Sophos identified 187 unique Microsoft LOLbins exploited in the first half of 2024, with remote desktop protocol (RDP) being the most frequently abused.
Attackers used RDP in 89% of all analyzed cases, maintaining a steady prevalence since 2023 when abuse was reported in 90% of incidents.
This sustained trend underscores how essential yet risky trusted applications can be.
Also Read: Cyber Insurance: Why it matters and how to get it right
RDP’s legitimate utility as a remote access tool for IT management and remote work makes it particularly attractive for attackers seeking easy infiltration.
As John Shier, Sophos’ field CTO, put it: “Living-off-the-land not only offers stealth to an attacker’s activities but also provides a tacit endorsement of their activities. Many of these abused Microsoft tools are integral to Windows and have legitimate uses, but it’s up to system administrators to understand how they are used in their environments and what constitutes abuse.”
Key Takeaways from Sophos’ 2024 Findings
Sophos’ report offers deeper insights into the cybersecurity challenges faced by organizations today:
- Root Causes of Attacks:
Compromised credentials remain the primary root cause in 39% of incidents, albeit down from 56% in 2023. The prevalence of stolen or weak credentials reflects ongoing security gaps in password management and multi-factor authentication practices. - Network Breaches on the Rise:
Network breaches dominated cases handled by Sophos’ Managed Detection and Response (MDR) team, highlighting systemic vulnerabilities in network configurations and monitoring systems. - Dwell Times Vary by Response Method:
Attack detection times differ between teams. Sophos’ Incident Response (IR) team recorded a median dwell time of eight days, while MDR teams achieved significantly faster detection, with a median dwell time of one day for general incidents and three days for ransomware cases. Faster detection directly correlates with better containment of threats. - Aging Active Directory Servers Increase Risk:
Many incidents involved outdated Active Directory (AD) servers, including 2012, 2016, and 2019 versions. These servers are either out of Microsoft’s mainstream support or entirely end-of-life, making them particularly vulnerable. Worryingly, 21% of breached AD servers had already reached end-of-life status, leaving no recourse for patching without paid support.
LockBit Dominates Ransomware Threats
Despite a February 2024 disruption of its leak site and infrastructure, LockBit emerged as the most active ransomware group, responsible for 21% of infections.
Its consistent presence in major incidents emphasizes the resilience of top-tier cybercriminal groups, even in the face of law enforcement action.
LockBit’s operations represent a broader challenge: ransomware attackers have evolved their methods and persistently target organizations worldwide.
Sophos warns that organizations need more comprehensive approaches to detect and mitigate such threats.
Why Trusted Tools Make Attackers Hard to Catch
The abuse of LOLbins such as RDP thrives because these tools are deeply embedded in business environments.
Many are integral to system operations, allowing attackers to blend seamlessly into network activities.
This approach not only helps evade detection by IT teams but also delays security responses. Without thorough and consistent monitoring, organizations risk falling prey to extended breaches.
“Abusing a Microsoft binary often has the opposite effect of raising alerts,” John Shier explained.
Tools that are well-integrated into Windows systems allow attackers to take advantage of the implicit trust IT teams place in these binaries.
How Organizations Can Respond
To counter the surge in trusted app abuse and ransomware threats, businesses need proactive measures:
- Adopt Context-Aware Monitoring: Continuous vigilance is required to spot unusual activity involving LOLbins. Organizations must establish clear baselines for how these tools are typically used and flag deviations.
- Address Credential Weaknesses: Strengthening password policies, implementing multi-factor authentication, and regularly training employees on cybersecurity best practices can significantly reduce risks.
- Upgrade Aging Infrastructure: Companies relying on older AD servers or unsupported operating systems should prioritize upgrades. Unsupported systems lack essential patches, leaving networks open to exploitation.
- Invest in MDR Services: Managed Detection and Response teams, as the report shows, reduce dwell times significantly. Rapid detection and containment are essential for preventing widespread damage.
Sophos’ findings serve as a warning to organizations: attackers are getting smarter and taking advantage of trusted tools to disguise their activities.
Without enhanced detection strategies and robust credential policies, businesses may find themselves increasingly vulnerable.
The growing abuse of trusted apps like RDP and the persistence of ransomware groups such as LockBit point to the need for faster and smarter approaches to cybersecurity.
