Sophos's 2023 Adversary Reports Unveil Attack Patterns

Category: Cyberattack | Industry: Global | Level: Strategic | Source: Sophos

Sophos X-Ops Incident Response (IR) team released their 2023 Active Adversary Report informing business leaders of the type of attacks and trends Sophos has observed in 2022. Data from the report is collected mainly (81%) from organizations with less than 1000 employees and a variety of organizations from different industries.  Organizations requiring the most assistance from Sophos were manufacturing at 20%, healthcare at 12%, education at 9%, and retail at 8%. Based on attack type, Sophos's IR team was engaged primarily to handle ransomware-related incidents accounting for 68% of their cases. Network breaches and data exfiltration incidents followed at a distant 18.42% and 3.95% respectively. LockBit was identified as the most active ransomware gang leading other groups including ALPHV/Blackcat, Hive, and Phobos.

Analysis from Sophos also delves into the known methods of initial access. The most common vectors are exploiting a vulnerability, use of compromise credentials, execution of a malicious document, brute-force attacks, and phishing. "Many of these attacks could have been prevented if only the available patches had been implemented. To put numbers on it, in 55% of all investigations in which exploit vulnerability was the root cause, the exploitation of either the ProxyShell or the Log4Shell vulnerability was to blame," as assessed by Sophos. An examination was also conducted into the most frequently observed living-off-the-land binaries (LOLBins) which were assessed through a percentage of their occurrence. PowerShell led with the most occurrences in cases at 74.34% followed by cmd.exe with 50.00%, PsExec at 44.08%, Task Scheduler at 28.29%, and lastly, net.exe with 27.63%, to complete Sophos's top five. It's worth noting RDP was not counted due to potential false positives. Lastly, the abuse of public tools was tracked through the same occurrence metric. It was found Cobalt Strike was the frequently occurring tool at 42.76% then, AnyDesk at 30.26%, mimikatz at 28.29%, Advanced IP Scanner at 21.71%, and Netscan at 19.74%.

‍