The upcoming Active Adversary Report from Sophos is set to reveal new insights into the shifting landscape of cybercrime, detailing attacker behaviour and evolving tactics, based on investigations conducted by the Sophos X-Ops Incident Response (IR) team in 2023.
The report noted that ransomware retains its top position as the leading type of attack, with 70% of the incidents investigated by Sophos IR team being attributed to ransomware. In the same vein, LockBit ransomware continues to be the most prevalent, accounting for 22% of the ransomware attacks examined in 2023, thus securing its top spot for the second consecutive year.
The abuse of the Remote Desktop Protocol (RDP), a typical approach for establishing remote access on Windows systems, was a shared downside across 90% of the attacks. This not only represents a grim milestone in the evolution of cybercrime tactics but also features the most significant instance of RDP abuse since Sophos began publishing its reports in 2021. External remote services such as RDP were also reported as the primary means through which attackers first breached networks, constituting 65% of the initial access points in IR cases during 2023. This makes the management of these services a top priority in risk assessment for organisations, suggests the report.
“Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond. Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side,” said John Shier, Field CTO at Sophos.
The study also pointed out that compromised credentials have become a more common initial access tactic, with three-quarters of the attacks in 2023 using this method. Despite the increasing prevalence of compromised credentials, almost half of the organisations did not have multi-factor authentication set up, making them vulnerable to such attacks.
Overall, the findings from the report highlight a shift in the attack strategies of cybercriminals, towards more subtle and covert methods. It underscores the importance of organisations prioritising the management of remote services and adopting multi-factor authentication to secure against attacks.
“Organizations that do [manage risks] well experience better security situations than those that don’t in the face of continuous threats. Securing the network by reducing exposed and vulnerable services and hardening authentication will make organizations more secure overall and better able to defeat cyberattacks,” said Shier.
The findings were based on over 150 incident response investigations across 26 sectors worldwide, displaying the versatility and geographical expanse of current adversarial tactics. This, along with other research and threat analysis by Sophos, aims to provide an outlook on the ongoing adversarial strategies and aid in building robust cybersecurity measures to counter them.