New research shows that the dwell time of cyber-attacks has increased by 36%, with a median dwell time of intruders of 15 days in 2021 versus 11 days in 2020.
The Sophos Active Adversary Playbook 2022 report also reveals the impact of ProxyShell vulnerabilities in Microsoft Exchange, which Sophos believes some Initial Access Brokers (IABs) abused to breach networks and then sell that access to other attackers.
Sophos senior security advisor John Shier said: “The world of cybercrime has become incredibly diverse and specialized. IABs have developed a cybercrime industry by breaching a target, doing exploratory reconnaissance or installing a backdoor, and then selling the turnkey access to ransomware gangs for their attacks.
“In this increasingly dynamic, specialty-based cyber threat landscape, it can be difficult for organizations to keep up with attackers’ ever-changing tools and approaches. Defenders must understand where they are at each stage of the attack chain to detect and neutralize attacks as quickly as possible.”
Shier continued, “Research from Sophos also shows that intruders dwell longer in smaller organization environments. Attackers lingered for approximately 51 days in organizations with up to 250 employees, while they typically spent 20 days in organizations with 3,000 to 5,000 employees.
“Attackers view larger organizations as more valuable, so they are more motivated to get in, get what they want, and get out. Smaller organizations have less perceived value, so attackers can afford to stay on the network longer. They are peeking into the background.
“It’s also possible that these attackers were less experienced and took longer to figure out what to do once they were inside the network. Finally, smaller organizations typically have less visibility to detect and repel attackers along the attack chain. Switching, prolonging their presence.”
He says that, with chances of unpatched ProxyLogon and ProxyShell vulnerabilities and the rise of IABs, the researchers see more evidence of multiple attackers in a single target. Attackers want to act quickly when a network is busy to beat their competition.
Additional key findings in the playbook include:
Median attacker dwells time before detection was longer for stealth intrusions that had not developed into a major attack, such as ransomware, and for smaller organizations and industries with fewer IT security resources. The median residence time for organizations affected by the ransomware was 11 days. For those who have been hacked but have not yet been hit by a major attack, such as ransomware (23% of all incidents investigated), the median residence time was 34 days. Education organizations or fewer than 500 employees also had longer residence times.
Longer dwell times and open access points make organizations vulnerable to multiple attackers. Forensic evidence revealed cases where numerous adversaries, including IABs, ransomware gangs, crypto miners, and sometimes even multiple ransomware operators, targeted the same organization simultaneously.
Despite a decline in the use of Remote Desktop Protocol (RDP) for remote access, attackers made greater use of the internal side-scroll tool. In 2020, attackers used RDP for remote activity in 32% of cases analyzed, but this dropped to 13% in 2021. While this shift is a welcome change and suggests that organizations have improved their management of remote attack surfaces, attackers are still exploiting RDP for internal lateral movement. Sophos found that in 2021 attackers used RDP for internal lateral movements 82% of the time, compared to 69% in 2020.
Common tool combinations in attacks provide a powerful warning signal of intruder activity. For example, the incident investigations found that by 2021, PowerShell and malicious non-PowerShell scripts were seen together in 64% of cases; PowerShell and Cobalt Strike combined in 56% of the circumstances; and PowerShell and PsExec were found in 51% of cases. Detecting such correlations can serve as an early warning of an impending attack or to confirm the presence of an active attack.
73% of the incidents to which Sophos responded in 2021 involved ransomware. Of these ransomware incidents, 50% also involved data exfiltration. Data exfiltration is often the last stage of the attack before the ransomware’s release. Half of all ransomware incidents involved confirmed data exfiltration, and with the data available, the average gap between data theft and ransomware deployment was 4.28 days. The incident investigations found that the average interval between them was 4.28 days, and the median was 1.84 days.
Vulnerability. Conti was the most prolific ransomware group in 2021, accounting for 18% of all incidents. REvil ransomware was responsible for one in ten incidents. In contrast, other common ransomware families included DarkSide, the RaaS behind the infamous Colonial Pipeline attack in the US, and the Black Kingdom, one of the new ransomware families to be released in March 2021 after the ProxyLogon. Forty-one different ransomware attackers were identified during the 144 incidents included in the analysis. Of these, about 28 were new groups first reported in 2021. Eighteen ransomware groups seen in incidents in 2020 had disappeared from the list by 2021.
Shier says, “The red flags defenders should look out for include the detection of a legitimate resource, a combination of resources, or activity in an unexpected place or time.
It’s worth noting that there can also be moments of little or no activity, but that doesn’t mean an organization hasn’t been breached. For example, there are likely many more ProxyLogon or ProxyShell breaches that are currently unknown, where there are web shells and backdoors implanted in permanent access targets and now sit still until that access is used or sold.
“Defenders should be alert to suspicious signals and investigate immediately. They should patch critical bugs, especially those in commonly used software, and, as a priority, improve the security of remote access services.
“Until exposed access points are closed, and everything the attackers have done to gain and retain access is completely wiped out, almost anyone can and probably will.”