Sophos Report: Abuse of Trusted Applications Surges 51%

Sophos, a global cybersecurity firm, has released its latest report, The Bite from Inside: The Sophos Active Adversary Report, analyzing cyberattacks in the first half of 2024. The findings, based on nearly 200 incident response cases, highlight a sharp increase in attackers using trusted Windows applications, often called “Living off the Land” binaries (LOLBins), to evade detection and maintain persistence.

The report reveals a 51% rise in LOLBin abuse compared to 2023, and an 83% increase since 2021. Of the 187 unique Microsoft LOLBins identified, the most targeted tool was Remote Desktop Protocol (RDP), which attackers exploited in 89% of analyzed cases. This trend mirrors findings from 2023, where RDP abuse appeared in 90% of incidents.

“Living off the land allows attackers to hide in plain sight by using legitimate tools,” said John Shier, Sophos’ field CTO. “While some activity raises alerts, abusing trusted Microsoft tools often goes unnoticed, creating a serious risk for IT teams already stretched thin.”

Key Findings:

• Ransomware Dominance: LockBit was the most active ransomware group, responsible for 21% of infections, despite government efforts to disrupt its operations earlier this year.
• Compromised Credentials: Stolen credentials remained the top cause of attacks, accounting for 39% of incidents—though this marks a decline from 56% in 2023.
• MDR Advantage: Sophos’ Managed Detection and Response (MDR) teams reduced attack detection times to a median of one day, compared to eight days for incidents handled solely by incident response teams.
• Active Directory Risks: Attackers frequently targeted outdated versions of Active Directory (AD) servers, including versions already past Microsoft’s support lifecycle. These accounted for 21% of compromised AD servers.

Sophos emphasizes the importance of proactive monitoring and updates to defend against increasingly sophisticated threats.