Attackers easily bypass endpoint detection and response (EDR) and extended detection and response (XDR) defenses, often catching businesses unaware, according to new cybersecurity threat research.
A global cyberthreats study, conducted by EDR/XDR vendor Trellix, highlighted the risk posed by the emergence of “EDR kill tools” and their use to deliver ransomware or attack telecommunications operators. It cited as examples the D0nut ransomware gang, which used the EDR killer to improve the performance of its attacks, and the Terminator tool developed by Spyboy and used in a new campaign in January 2024 that primarily targeted the telecommunications sector.
John Fokker, head of threat intelligence at the Trellix Advanced Research Center, said he was surprised by how boldly and bluntly other attackers found this method of attack. “Dodging EDR is nothing new, but what got us excited was when we saw a state actor with ties to Russia openly using this technique,” Fokkeer said.
Matt Harrigan, VP at Leviathan Security, reviewed the Trellix study and said that he was not surprised by the attack, but that he is surprised by how many enterprise CISOs today are over-relying on their security and apparently not preparing strategies to avoid EDR/XDR. .
“They overestimate the capabilities of their traditional EDR platforms. “This technology is being turned off and the attack is successful,” Harrigan said.
EDR protection indicators
Another security executive, Jon Miller, CEO of Halcyon, gave CISOs some pointers on how to protect their EDR/XDR systems from harm. These escapes typically apply to one of three security vulnerabilities, he said: vulnerable kernel drivers (known unpatched vulnerabilities); abuse of the register; and userland API unhooking. “MGM and Caesars, they were both using EDRs that were deprecated,” Miller said, referring to the attacks on the two Las Vegas casino operators.
Much of Trellix’s research has examined changes in various attack methods using various malware tools.
“The Sandworm team, historically known for disrupting cyber operations, saw a dramatic increase in detections of 1,669 percent,” it said, suggesting that this represents a corresponding increase in attacks by a Russian-linked group, not just an improvement in detections. values. APT29, a group known for cyber espionage, saw detections increase by 124%, while detections of activity by APT34 and Covellite also increased, by 97% and 85% respectively, suggesting the launch of new campaigns. Teams including Mustang Panda, Turla, and APT28, on the other hand, saw little change in acquisitions. “Notable is the emergence of UNC4698, which saw a 363% increase in discovery, suggesting the rise of a potentially significant new player in the APT landscape,” the study said.
It also noted significant declines in employment by groups linked to North Korea (down 82%), Vietnam (down 80%), and India (down 82%), but Fokker said his team could not determine why. “Unfortunately, we have not received a clear explanation as to why their work has decreased. “There could be a number of reasons why the adoption rate has dropped,” said Fokker.
Directed to Turkey
Threat detections targeting Turkey increased by 1,458%, which translates to a 16% increase in its proportional contribution to total detections. “This dramatic increase reflects a major shift in the focus of the cyber threat against Turkey, which may reflect broader national tensions or specific operational goals of APT groups,” the study said.
It also noted the increase in copycat attacks, where malware groups began to impersonate other groups: “After the global law enforcement action, Operation Cronos, Trellix saw imposters impersonating LockBit, while the group desperately tried to save face and restore profitable operations . .”
Overall, the study found that the US remains the most targeted country, followed – currently – by Turkey, Hong Kong, India and Brazil.
There have been significant differences in the volume of attacks between industries, too. Trellix saw transportation and shipping as the most threatened by ransomware, accounting for 53% of worldwide ransomware detections in the fourth quarter of 2023, and 45% in the first quarter of 2024. The financial industry is the next most targeted.
“From October 2023 to March 2024, Trellix saw a 17% increase in APT-based acquisitions compared to the previous six months,” the study said. “This is remarkable as our last report revealed that these numbers have increased by 50%. The APT ecosystem is very different from last year’s – aggressive, cunning, and active. “
Source link