Artur Marciniec - Fotolia

ProxyLogon, ProxyShell may have driven increase in dwell times

The median network intruder dwell time was up 36% to 15 days last year, thanks to massive exploitation of the ProxyLogon and ProxyShell vulnerabilities by IABs, according to new Sophos data

Mass exploitation of the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server by so-called initial access brokers (IABs) seems to have driven a substantial increase in median dwell times, which rose by 36% in 2021 from 11 days to 15, according to the latest edition of Sophos’s Active Adversary Playbook.

The report, which details attacker behaviours observed by Sophos’s rapid response team, explores how IABs, which specialise in conducting initial compromises of victim network environments before selling their access on to other cyber criminals, including ransomware operators, are coming to form a “vital” part of the underground criminal economy.

“The world of cyber crime has become incredibly diverse and specialised. IABs have developed a cottage cyber crime industry by breaching a target, doing exploratory reconnaissance or installing a backdoor, and then selling the turnkey access to ransomware gangs for their own attacks,” said John Shier, senior security advisor at Sophos.

“In this increasingly dynamic, speciality-based cyber threat landscape, it can be hard for organisations to keep up with the ever-changing tools and approaches attackers use. It is vital that defenders understand what to look for at every stage of the attack chain, so they can detect and neutralise attacks as fast as possible.”

Shier explained that for an IAB, being successful hinges on being first at the crime scene, which means such actors tend to be all over newly reported or disclosed vulnerabilities so they can break in before their victims have a chance to patch.

They then go to work securing a foothold and maybe conducting some exploratory movement to find out more about their victims, before making a sale to someone else – usually a ransomware operator.

“The world of cyber crime has become incredibly diverse and specialised. It is vital that defenders understand what to look for at every stage of the attack chain, so they can detect and neutralise attacks as fast as possible”
John Shier, Sophos

This process clearly takes a little while – it can be months or even longer – so higher dwell times likely reflect the involvement of IABs.

Shier said that in the case of ProxyLogon and ProxyShell, it was highly likely there were a great many breaches that are currently unknown, where web shells and backdoors have been quietly implanted and are now sitting inert, waiting to be “sold”.

“The red flags that defenders should look out for include the detection of a legitimate tool, combination of tools, or activity in an unexpected place or at an uncommon time. It is worth noting that there may also be times of little or no activity, but that doesn’t mean an organisation hasn’t been breached,” said Shier.

“Defenders need to be on the alert for any suspicious signals and investigate immediately. They need to patch critical bugs, especially those in widely used software, and, as a priority, harden the security of remote access services. Until exposed entry points are closed and everything that the attackers have done to establish and retain access is completely eradicated, just about anyone can walk in after them, and probably will,” he said.

The report also highlighted a related trend that now seems to be emerging, whereby multiple actors, including IABs, cryptominers and ransomware gangs – even multiple ransomware gangs – obtain access to the same organisation simultaneously. This is a trend that Shier predicted would shape the threat landscape during 2022.

“With opportunities from unpatched ProxyLogon and ProxyShell vulnerabilities and the uprise of IABs, we’re seeing more evidence of multiple attackers in a single target. If it’s crowded within a network, attackers will want to move fast to beat out their competition,” said Shier.

The Active Adversary Playbook is based on data collated by Sophos teams from nearly 150 incidents targeting organisations of all sizes, in multiple industries, around the world.

However, other data sources do differ. A similar study of incidents to which Mandiant responded, released earlier in 2022, suggested precisely the opposite – that dwell times have decreased. As ever, the truth of a murky situation likely lies somewhere between the two.

Read more on Hackers and cybercrime prevention

Data Center
Data Management