Security expert Sophos has found that the average duration of undetected, attackless sneak peeks by cybercriminals on corporate networks has risen to 34 days. Smaller businesses and the education sector were particularly affected, it said.
Sophos has published its “Active Adversary Playbook” for 2022. It details the behavior of cybercriminals observed by the “rapid response team” in 2021, documenting a 36 percent increase in the time cybercriminals spend on corporate networks. The average undetected stay on the network without a major attack such as ransomware is now 34 days.
Attackers also have a longer dwell time in smaller enterprises than in larger enterprises. Cybercriminals stayed in companies with up to 250 employees for about 51 days. In comparison, they typically spent “only” 20 days in companies with 3,000 to 5,000 employees.
“Attackers consider larger organizations more valuable and are therefore more motivated to get in quickly and get out quickly. Smaller organizations have less `value,’ so intruders can afford to linger longer in the background on the network,” said John Shier, senior security advisor at Sophos.
However, Shier added, it is also possible that these attackers have less experience and therefore spend more time on the network scouting. Also, smaller businesses and the education sector typically have less visibility into the attack chain to detect and dispel attacks, he said. This also prolongs the attackers’ presence, he said.
Ransomware attacks represented a special case. Here, the criminals acted “faster” overall, but here, too, the undetected stay in the network increased from 11 days in 2020 to 15 days in 2021, he said.
Vulnerabilities in Microsoft Exchange
The report also highlights the impact of ProxyShell vulnerabilities in Microsoft Exchange, which Sophos said were exploited by some initial access brokers (IABs) to penetrate networks and then sell access to other cyber gangsters. “The world of cybercrime has become incredibly diverse and specialized,” Shier said.
“Initial access brokers (IABs) have developed their own cybercrime industry by penetrating a target, scouting it out or installing a backdoor, and then selling the turnkey access to ransomware gangs for their own attacks.”
Be aware of warning signs
Organizations need to be alert to certain warning signals to deter uninvited guests, he said. “Warning signals include the discovery of a legitimate tool or combination of tools and activities in an unexpected location or at an unusual time,” Shier said.
“It’s worth noting that there may be times when there is little or no activity. But that doesn’t mean a company hasn’t been attacked. There are likely other ProxyLogon or ProxyShell intrusions that are unknown at this time. Again, this involves implanting web shells and backdoors for persistent access that go unnoticed until the time of access use or sale.”
What is to be done? “Defenders need to be alert to suspicious signals and investigate immediately,” Shier explains. “They need to fix critical bugs – especially in widely used software – and make it a priority to increase the security of remote access services. Until unprotected access points are closed, and all attacker access activity is fully remediated, just about anyone can get in at will and probably will.”