The age of malware-driven cyber attacks has peaked, at least when it comes to incidents affecting small and medium-sized enterprises (SMEs), where over half (56%) of attacks observed in the third quarter were “malware-free”, meaning adversaries leveraged scripting frameworks and legitimate tools instead of deploying malware payloads.
This is according to a quarterly SME threat report compiled by Huntress, a US-based supplier of managed security platform services specialising in small businesses and managed security services providers (MSSPs).
In its report, Huntress said this evolution in tradecraft appeared to be linked to a surge in the use of remote monitoring and management (RMM) software tools as a vector for initial access, which it saw in 65% of cases. This may bear some connection to the changes in working practice induced by Covid-19.
The most commonly exploited RMM tools used against SMEs included ConnectWise, AnyDesk, NetSupport and TeamViewer.
The use of legitimate tools – which are often referred to as living-off-the-land binaries – or LOLBins – is nothing new, but at the SME level it becomes of particular concern given such organisations are less likely to have appropriate monitoring or review practices in place. Furthermore, because IT admins rely on the same techniques and software, distinguishing legitimate activity from illegitimate activity becomes harder, too.
“The threat landscape is not slowing down,” said Joe Slowik, threat intelligence manager for Huntress. “Threat actors are evolving their tradecraft to wreak havoc on SMBs, and our goal is to educate them and give them a fighting chance against the ever-evolving adversarial landscape.
“The Huntress SMB threat report serves as the definitive guide in helping MSP security professionals know what patterns in adversary tactics and behaviours are out there and how to protect their SMB customers.”
Identities challenged in the cloud
Added to the growing LOLBin issue, the report said, the steady trickle-down of cloud services into smaller businesses is placing a huge premium on securing identities as threat actors migrate to the same services to enable operations such as data exfiltration, business email compromise (BEC) and softening up targets for ransomware intrusions.
On the subject of ransomware, while the likes of LockBit, BianLian, Royal and ALPHV/BlackCat make headlines, SMEs are also being subjected to what Huntress called a “long tail” of uncategorised, unknown or thought-to-be-defunct lockers, which make up 60% of all identified incidents in its telemetry.
Ultimately, the report calls for a “profound reassessment” of SME defence strategies and a more nuanced approach to threat detection and response.
“Whereas once upon a time, a small organisation could likely get by with a combination of a good anti-malware solution and spam filtering, the current threat landscape renders these simplistic – if historically reasonably effective – efforts no longer satisfactory,” wrote the report’s authors.
Huntress said MSSPs and SMEs alike needed to do more to extend their visibility and security awareness beyond their perimeters, a path that is already well-trodden among enterprises in the wake of large-scale supply chain incidents.