Summary of incident investigation and retrospective analysis projects, 2023–2024

PT ESC IR
The Positive Technologies Expert Security Center Incident Response team

Yana Avezova
Senior analyst, Research Group of PT Cyber Analytics

The Positive Technologies Expert Security Center Incident Response (PT ESC IR) team has years of experience in responding to incidents and investigating cyberattacks. PT ESC IR conducts dozens of incident response, investigation, and retrospective infrastructure analysis projects every year for both government institutions and businesses. Our IR experts assist a wide range of companies, from small businesses where the system administrator doubles as the information security engineer, to large enterprises listed in the RAEX rating and industry leaders with dedicated information security teams and SOCs.

Last November, we published our first report on the work done by the PT ESC IR team from 2021 through Q3 2023. This new analytical report provides an overview of our work from Q4 2023 through Q3 2024. During that period of time, PT ESC IR completed around one hundred projects involving investigations and retrospective analysis for organizations worldwide. We have conducted an analysis of what we believe are the critical aspects of incidents. In this report, we share the results of our analysis, project statistics, notable cases, and key trends we managed to identify. Furthermore, we have listed key flaws in security mechanisms and approaches that contributed to incidents. To address these shortcomings, we have formulated a series of recommendations aimed at minimizing the number of successful future cyberattacks.

• We are seeing a substantial increase in the demand for incident response projects. The year 2023 saw a 176% increase, and the first through third quarter of 2024, a year-on-year rise of 24%.
• Industry (23%) and government institutions (22%) were the biggest PT ESC IR customers. The share of requests coming from IT customers increased from 8% to 13% year on year.
• The mean¹ time to detect (TTD) of a security incident was 17 days. An average incident lasted 23 days, whereas the average time to contain (TTC) the incident was 3 days. Our investigation revealed that the most persistent malicious activity spanned nearly three years, whereas the shortest incident was resolved within 24 hours.
• Thirty-nine percent of companies showed evidence of infiltration by known APT groups. Thirty-five percent saw critical data encrypted or deleted, or business disruptions.
• Web applications located on the network perimeter were used as the initial access point in 44% of incidents. These were most frequently websites running on the 1C-Bitrix content management system (CMS). Their share increased from 13% to 33% year on year.
• There is an increasing trend of trusted relationship attacks where threat actors are gaining access to corporate networks via their third-party external providers. What once had been seen as isolated occurrences exploded to 15% over the past year.
• The share of incidents affecting internal business processes soared from 32% to 50% when compared to 2021–2023. We attributed this to a rise in cyberattacks by hacktivists and financially motivated threat actors who typically demand ransom payments to restore compromised systems.
• The primary causes of successful cyberattacks on companies were outdated software (47%), lack of two-factor authentication (41%), and insufficient network segmentation (38%).

1. Median values are reported as the mean.

The bulk of the PT ESC IR team's work from Q4 2023 through Q3 2024 was focused on incident investigation projects, with an additional 10% allocated to retrospective infrastructure analysis. These project types have distinct objectives for service delivery.

As part of a retrospective analysis, cybersecurity experts are tasked with examining a maximum amount of relevant data over the longest possible timeframe to identify both current and past (previously undiscovered) incidents as well as any suspicious or malicious activity, and assessing their significance. 

The objective of incident investigations is to meticulously reconstruct the timeline of adversaries' actions associated with a specific security incident reported by the customer. Beyond reconstructing the timeline of an incident, IR specialists assess the extent of the incident under investigation and its impact. If an attack is yet in progress by the time our team gets involved, the primary goal of PT ESC IR is to identify the attacker's foothold and swiftly eliminate their access, mitigating any potential business impact.

We are seeing a constant increase in the demand for incident response projects. The year 2023 saw a 176% increase, and the first through third quarter of 2024, a year-on-year rise of 24%.

Below are the key drivers behind companies choosing incident investigation services.

1. The company's security systems have detected suspicious or malicious activity within the network, or the company has received an alert from PT ESC (PT ESC Threat Intelligence, the SOC, or a pilot project team). This most common cause accounted for 52% of cases.
2. The company has been hit by a ransomware attack, where attackers demanded a ransom to restore encrypted data, or employees were unable to access data due to it being encrypted or erased. The share of this type of requests more than doubled over the past year from 15% to 37%.
3. Hackers have gone public about breaking into the company's systems and have either dumped the stolen data on their DLSs² or are offering it on a dark web data market. The share of these requests remained virtually unchanged at 9%.

PT ESC IR gathers and processes data from multiple hosts to investigate incidents and perform retrospective analysis. Nearly a third (32%) of projects involved analysis of data from more than 100 hosts, with 12% surpassing 1000. The maximum number of hosts analyzed in a single project was nearly 44,000.

In most cases, the information analyzed during an investigation fits into one of the following categories, listed by decreasing incident frequency:

• Live response data (>70% of the total volume)
• Customer network security scan data
• Malware samples
• Security logs
• Customer-gathered incident data
• Host images
• RAM dumps
• Traffic samples
• Web server logs
• VPN traffic logs
• DNS server logs
• Traffic logs
• Phishing email samples
• DBMS logs
• DLP screen recordings

Most of these data come from PT Dumper or malware analysis. Our IR team has experience with less common data sources too. For example, in a recent project, IR experts reconstructed the incident timeline by reviewing screen recordings captured by a DLP system and showing the attacker's actions on compromised hosts.

Logs generated by security systems are an essential data source. In addition to these, VPN, DNS, network traffic, and DBMS logs are often crucial for investigations. Unfortunately, attacked organizations do not always have these data due to inadequate event logging configurations for these types of services. In such instances, PT ESC IR experts provide guidance on configuring the logging of sources required for the investigation.

Industry (23%) and government institutions (22%) were the most frequent PT ESC IR customers. The share of requests coming from IT customers increased from 8% to 13% when compared with the previous period (2021–2023). IT is now the third largest source of requests, having replaced finance, which dropped to sixth place and whose share shrank from 12% to 4%.

Many IT companies act as service providers for a large number of organizations in other sectors. Consequently, a breach of these companies could compromise their clients' internal networks through trusted relationship attacks, which we cover below. We believe this is something that makes IT companies attractive targets for cybercriminals.

Every tenth (11%) of our customers is among the largest companies in Russia by sales according to RAEX-600.

The average (median) time from the initial network compromise to the detection of the adversary was 23 days. Our investigation revealed that the most persistent malicious activity spanned nearly three years, whereas the shortest incident lasted 24 hours.

In some cases, when the PT ESC IR team gets involved, the attacker may still be active within the environment, causing ongoing damage to the data being processed there. In these situations, the focus shifts to rapidly containing the incident. It is considered to be contained when the adversary is no longer able to cause further harm to the infrastructure, communicate with their own servers, or spread laterally within the corporate network.

Following containment, PT ESC IR experts undertake a standard process to reconstruct a highly detailed incident timeline and assess the full impact, identifying any affected systems, accounts, etc.

We have identified the following incident temporal metrics:

• TTD (Time to Detect) is the time it takes for the customer's cybersecurity team to discover an incident after it has begun.
• TTC (Time to Contain) is the time it takes to contain the incident after response has started.
• TTR (Time to Response) is the time it takes to complete the investigation after it has begun.

Thirty-nine percent of companies showed evidence of infiltration by known APT groups at some time or another. It is common for PT ESC IR to uncover evidence of APT group activity that occurred outside the timeframe of the incident under investigation. Clients have sought our IR team's assistance in the wake of destructive activities like data encryption or VM deletion. During these engagements, our investigators often uncovered evidence of prior APT attacks mainly aimed at cyberespionage. 

Thirty-five percent of companies showed evidence of incidents that we categorize as Cybercrime. This category encompasses mostly attacks designed to disrupt the company's business through actions like data encryption or deletion.

It is essential to acknowledge that unequivocal attribution of attacks is often unrealistic. Twenty-three percent of companies showed evidence of publicly unidentified threat actors. Figure 11 shows the distribution of the victims of detected attacks across sectors.

PT ESC IR specialists detected incidents attributed to 17 known APT groups over the period under review. These attributions were derived from an analysis of tools, malware, network infrastructure, and TTPs employed. Table 1 contains the full list of the groups.

APT groups tend to use custom-built tools to remotely access networks they compromise, harvest and exfiltrate data. Examples can be found in Table 2.

Attacks in the Cybercrime category tend to rely on ransomware, legitimate data encryption tools, and wipers. Threat actors may utilize these tools not only to damage data and networks but also to cover their tracks, obstructing incident investigation efforts. 

LockBit is not the only tool popular with ransomware gangs. Legitimate commercially available and open-source data encryption programs, such as Disk Cryptor and BestCrypt, are often misused by threat actors. Their cumulative share amounted to 23 percent. The complete list of software detected by our investigators can be found in Table 3.

Download figure

In addition to malware, attackers utilize post-exploitation frameworks, a variety of publicly accessible utilities, and tools with dual-use capabilities. We have mapped these tools to MITRE ATT&CK tactics on a heat map to visualize their frequency in our projects—see Fig. 12.

In order to remain undetected by security systems and cybersecurity analysts, many attackers opt to utilize legitimate utilities that are natively installed on compromised systems, eliminating the need for external downloads. These are known as living-off-the-land (LOTL) tools, such as LOLBins or LOL binaries. A list of these utilities can be found on the LOLBAS and GTFOBins project pages. Below are examples of the most common LOLBins.

Download heatmap

This section will delve into the prevalent and particularly noteworthy tactics utilized by cybercriminals to carry out their attacks. It describes the techniques in terms of MITRE ATT&CK Matrix for Enterprise version 15.1, providing links to the detailed descriptions. Furthermore, we will illustrate the application of various sub-techniques, cross-referenced by their respective identifiers, such as T1566.001. We have broken down the cyberattack process into 10 logical stages and mapped these to MITRE ATT&CK tactics—see Fig. 13.

Exploiting vulnerabilities in public-facing web applications (Exploit Public-Facing Application) remains the primary method for attackers to breach corporate networks. Our previous analytical report mentioned the Microsoft Exchange mail server as the most exploited application. In our experience, a majority of attacks targeting Exchange exploit ProxyShell or ProxyLogon vulnerability chains. That being said, the number of servers running outdated versions of Exchange is dwindling. As a result, the share of initial attack vectors associated with Exchange has dropped to 17%.

Websites running on the 1C-Bitrix CMS emerged as the primary target, accounting for 33% of all attacks that exploited vulnerabilities in web applications. Attackers also exploited vulnerabilities in Atlassian products (specifically, CVE-2023-22515, CVE-2023-22518, and CVE-2023-22527), the Apache web server (CVE-2023-46604), the web interfaces of Citrix NetScaler ADC and NetScaler Gateway components (CVE-2023-3519, CVE-2023-4966, and CVE-2023-4967), and other products.

Phishing emails (Phishing) continued to be the second most common way for hackers to gain access to systems. Their share remained at 17%. In 13% of cases, threat actors exploited publicly accessible remote services like VPN, RDP, or SSH (External Remote Services) to gain an initial foothold in target systems. 

Example: 1C-Bitrix vulnerability exploitation

While investigating an incident, our IR team encountered an exploit that targeted the 1C-Bitrix CMS (content management system). A security flaw in that system stemmed from non-standard authentication points within the administration interface: scripts that triggered an authentication form when accessed. So, even if the website administrator had blocked access to /bitrix/admin, attackers could still access the login-and-password entry form through non-standard authorization points. More details can be found here. A simple login and password are easy for attackers to guess. In the incident in question, the adversary pushed a web shell through a file upload module after gaining access to the administration interface. This enabled them to execute OS commands and escalate the attack to gain direct access to the DBMS and view the information stored in the database. In that incident, the attackers were able to mask the IP addresses of the external servers that they were using to perform these actions. They did this by spoofing the firewall IP address in the X-Forwarded-For HTTP header of requests to 1C-Bitrix.

Download figure

We are seeing a growing trend where threat actors are gaining access to corporate networks via their vendors (Trusted Relationship). Attacks of this type had happened earlier, but those were only isolated occurrences. The share of trusted relationship attacks exploded to 15% over the past year. Vendors, often being small or medium-sized businesses, tend to have less robust cybersecurity than their clients. Attackers often find it easier to compromise the vendor's network first, using their access as a stepping stone to infiltrate the target networks. Besides, vendors are often IT companies in the systems integration or software development business. A breach of these companies could provide attackers with a backdoor into the internal networks of multiple clients across a variety of sectors.

Example: a compromised vendor employee account

In one incident, cybercriminals exploited a previously compromised employee domain account to access a host on the vendor's network via RDP. On the vendor's internal web servers, the attackers discovered instructions and credentials for accessing the customer's network. The adversary took advantage of missing two-factor authentication to easily gain access to the customer's network and develop the attack.

A common technique employed by cybercriminals to maintain persistent access to a compromised system involves creating scheduled tasks (Scheduled Task/Job). The task scheduler can be used to set up automated jobs that run on a schedule or in response to specific system events, like system startup or user login. Attackers leverage this technique to embed malicious payloads and certain legitimate software, such as traffic tunneling utilities.

We would like to specifically highlight the persistence methods employed by the ExCobalt threat actor. In multiple Windows environment incidents analyzed by our IR team, attackers employed two techniques: creating or manipulating scheduled tasks, and installing malware as Windows system services (Create or Modify System Process). On Linux systems, ExCobalt implanted the Kitsune rootkit by using the dynamic linker hijacking technique (T1574.006). This technique involves hijacking the normal execution of a legitimate process and injecting malicious code by taking advantage of the dynamic linker ld.so. To establish Kitsune, the attackers hardcoded the path to the rootkit (/lib64/libselinux.so) into /etc/ld.so.preload which the dynamic linker accesses. As a result, the rootkit was loaded before other libraries and could redefine system calls.

In certain companies, cybercriminals gained network persistence by altering existing user passwords (Account Manipulation) or setting up new accounts (Create Account), and then adding these to groups with high-level permissions.

Threat actors typically exploit vulnerabilities (Exploitation for Privilege Escalation) to escalate their privileges in a compromised system. Those are often vulnerabilities that the information security professional community has been aware of for years. Due to many companies lacking a structured OS and software update process, they continue to pose a risk. Across multiple projects, we saw attackers trying to exploit the CVE-2020-1472 (Zerologon) vulnerability within the encryption protocol utilized by Windows' Netlogon service. This vulnerability permits an attacker to impersonate a domain controller and reset its password to gain control over the entire domain and develop the attack. Exploitation leveraged the publicly available AutoZerologon exploit.

Several Linux systems showed traces of attempts to escalate privileges via the CVE-2021-4034 (PwnKit) vulnerability in the pkexec utility, a part of the polkit component. This occurs due to incorrect handling of the number of arguments passed to the main() function. As a result, environment variables are executed as commands, allowing an attacker to perform local privilege escalation. This is one of the most commonly exploited privilege escalation vulnerabilities in Linux. There are several publicly available exploits.

Our experts detected multiple instances of using specialized tools and scripts for privilege escalation within Linux systems, such as the relatively new ttyinject utility and the well-known linpeas (Linux Privilege Escalation Awesome Script).

Mimikatz and its various mods have been the preferred utility for obtaining account credentials for years. With 35% of total projects, this is the tool that we most frequently detected in our incident investigation and retrospective analysis efforts. The XenAllPasswordPro utility, with 10% of projects, was the second in terms of frequency.

The key credential harvesting techniques used by threat actors were as follows:

• Dump LSASS memory in Windows and follow up with Mimikatz.
• Obtain an NTDS.dit Active Directory database file from a domain controller.
• Use specialized utilities like secretsdump from Impacket or CrackMapExec to extract credentials from a Security Account Manager (SAM) database by reading the SAM, SYSTEM, and SECURITY registry keys from the HKLM hive.
• Use specialized utilities, such as XenAllPasswordPro, to extract stored authentication data from web browsers.
• Scan user-generated files, such as "passwords.txt" or "logins.txt", that may contain plaintext logins and passwords.
• Use dictionaries and specialized utilities to guess logins and passwords.
• Restore authentication data with Veeam Backup and Replication.

In several instances, the attackers used a script to download XenAllPasswordPro onto compromised systems. They then ran the utility with an "-a" switch, which instructed it to harvest credentials from all accessible sources. The output was saved to an HTML report. The reports were stored on the domain controller, in directories specifically named after individual computers and users. The utility was then removed from the compromised hosts. One project saw credentials harvested from more than 50 hosts that way, and another, from more than 200.

We saw threat actors use custom-built backdoors less frequently than in 2021–2023. Instead, they relied on well-known post-exploitation frameworks, such as Metasploit, Sliver, or Merlin, coupled with tunneling utilities, which we cover below. In addition to this, attackers used various commercially available and open-source packers to complicate malware analysis and evade detection (Obfuscated Files or Information). The most popular packers were UPX, VMProtect, Themida, and ASM-Guard. Furthermore, cybercriminals used code obfuscation tools, such as Garble.

In the post-exploitation stage, attackers focus on degrading the target's security posture (Impair Defenses) to facilitate their malicious activities. The most common method is to disable or reconfigure security systems (T1562.001). The first thing the attackers seek to do is to disable antivirus protection tools that block the installation of malware.

Our experience indicates that attackers are increasingly turning to Bring Your Own Vulnerable Driver (BYOVD) to execute the T1562.001 sub-technique. This vulnerability grants attackers kernel-level privileges, enabling them to bypass security systems on compromised hosts and extract process memory dumps.

In addition to exploiting legitimate drivers, attackers leveraged loopholes in Microsoft policy. Essentially, attackers signed newly compiled drivers with unrevoked certificates issued before July 29, 2015, thereby successfully bypassing OS checks and loading kernel-mode drivers onto compromised hosts. 

During incident response and investigation engagements, our IR team came across instances where attackers had executed the MSBuild Bypass technique. They leveraged the MSBuild software development platform to indirectly execute malicious code. This technique involves delivering malicious code to the host in an encrypted state. Once there, the code is decrypted and compiled with Microsoft Build Engine directly on the compromised host. We have covered this technique in greater detail in our Telegram channel. 

Once an initial foothold has been established, threat actors begin reconnaissance of the network environment. They scan the corporate network to identify potential lateral movement paths from the compromised host. At this stage, the adversary is aggressively employing a variety of network scanners. The prevalent tools were SoftPerfect Network Scanner (detected in 15% of projects), Nmap (10%), and fscan (8%). The complete list of network scanners is reflected on the tool heat map—see Fig. 12.

Attackers tend to investigate Active Directory in Windows networks. Commonly used tools for this purpose include AdFind, ADRecon, ADExplorer, and the PowerView component of the publicly available PowerSploit framework. The following are examples of how PowerView was exploited in actual cyberattacks. Figure 22 shows a listing of commands indicating that attackers used PowerView to detect hosts where privileged users had logged in, and saved the data in text format for further analysis. Figure 23 presents the commands that attackers used to search for files associated with the vSphere virtualization platform.

In some cases, attackers have masked the tools used at this stage. In one instance, a malicious actor disguised the fscan scanning tool as a legitimate browser file. To evade detection during reconnaissance within a target network, attackers often leverage a variety of built-in OS commands and utilities, such as whoami, net, taskkill, nslookup, ipconfig, ping, route, and living-off-the-land tools. 

Once attackers have compromised a network, they typically move laterally via the RDP (T1021.001), SMB (T1021.002), and SSH (T1021.004) protocols. At this stage, the attackers most frequently used the SMBExec and AtExec utilities from the Impacket framework (detected in 33% of projects) and PsExec from Sysinternals (26%) for remote command execution.

In several instances, attackers resorted to SSH session hijacking (T1563.001) to propagate through the network. The SSH-IT network worm was employed to facilitate this technique. At the moment an SSH process is created, the malware gains access to the process's memory, intercepts the content of outgoing SSH sessions, including authentication information, and automatically propagates itself across hosts. We wrote about how to detect signs of this tool being installed on nodes in our Telegram channel.

Another lateral movement technique observed by our IR team involved Restricted Admin mode for RDP connections. It was first introduced in Windows 8.1 and Windows Server 2012 R2. When Restricted Admin mode is disabled, credentials are cached in the memory of the LSASS process on the Windows host to which the RDP connection was made. In a system with Restricted Admin mode enabled, a local administrator authenticates with an NT hash or Kerberos ticket instead of a password, preventing passwords from being cached or falling into the hands of attackers when they connect to the compromised host. However, Restricted Admin mode opens the door to pass-the-hash attacks. Restricted Admin mode is disabled by default. In this specific case, the attackers activated it by changing the registry key DisableRestrictedAdmin from 1 to 0. Importantly, with Restricted Admin mode enabled, authentication occurs on the RDP client rather than the server, which can be used to bypass multi-factor authentication.

To remotely control compromised hosts and deliver malware, attackers can use both custom Remote Access Trojans and publicly available legitimate tools designed for the purpose. Cybercriminals can load these utilities into the infrastructure or take advantage of existing tools if previously used by employees, such as system administrators. As evidenced by our investigation projects, the top three most popular tools for remote host management among attackers were AnyDesk, Mesh Agent, and RMS. A complete list of tools in this category that we detected can be found in Table 6.

Cybercriminals leverage a variety of traffic tunneling toolset to rapidly establish a convenient access channel from the Internet to a previously compromised host within the victim's local access network. To bypass security controls, particularly to gain Internet access to a server behind a NAT or firewall, attackers set up reverse tunnels: connections from the internal network to an external system they control.

Our IR team's findings revealed that gsocket was the most prevalent traffic tunneling toolset in networks containing Linux hosts, detected in 48% of companies with Linux hosts in their infrastructure. This utility facilitates TCP connections between hosts by using the publicly available cloud service, Global Socket Relay Network (GSRN). We recently discussed indicators for identifying gsocket installations in our Telegram channel.

For Windows-based systems, the publicly accessible tool Ngrok is the most widely used one for traffic tunneling, detected in 23% of companies with predominantly Windows hosts. Attackers commonly employ Ngrok to access internal systems within a customer's network, mostly via RDP. Ngrok's use of its own network infrastructure for connections obfuscates the attacker's IP address, providing an additional advantage. The presence of ::%16777216 in the source IP address field of Windows connection logs on the target host can indicate Ngrok usage, though this value may also appear in logs when using other solutions like RDG.

Beyond gsocket and Ngrok, the top five most popular tools for traffic tunneling included Chisel (detected in 14% of companies), Revsocks (10%), and LocaltoNet (6%). A complete list of traffic tunneling toolset identified in our projects is presented in Table 7.

Importantly, attackers sometimes create multiple tunnels by using different tools, which allows them to maintain access to the network even if one of the tunnels is detected and eliminated.

The main sources that attackers sought to harvest data from were as follows:

• Local user directories
• Network directories
• Browsers
• Messaging apps
• Email accounts
• Corporate knowledge bases
• Code repositories

In one of our projects, we discovered that at least 28 repositories' worth of code had been exfiltrated from a corporate GitLab.

The primary targets for attackers are files containing the following:

• Credentials
• Internal documents, instructions, and details of the corporate infrastructure
• Operating system event logs
• Software configuration files

When attacking large-scale infrastructures, attackers almost always automate data harvesting (Automated Collection). For instance, in one attack, the adversary targeted over 600 hosts with a PowerShell script for reconnaissance. This script built a directory tree on each compromised host to store files containing information about the host, users, their activity, and any credentials found on the host.

Based on the analysis of network indicators gathered during our projects, we have compiled data on the most popular autonomous systems (ASNs) and their geographic locations, as well as a top 10 list of VPN services popular with threat actors—see Fig. 26. The most frequently encountered ASNs included AS48282 Hosting technology LTD including IP address ranges belonging to VDSINA VDS Hosting, AS20473 The Constant Company LLC, and AS212165 Alex Group LLC. The top three services included Proton VPN, Mullvad, and Flow VPN.

Many companies in critical sectors are blocking or, at the very least, closely monitoring connections from IP addresses located outside Russia. Aware of this, attackers are leasing IP addresses from Russian data centers, which explains a high proportion of Russian IP addresses in our dataset.

Drawing on our incident response experience from the past year, we have compiled a list of high-priority directories to examine during a suspected cyberattack. It is precisely in these directories that attackers most often "settle". Within these, we discovered evidence of virtually every type of cybercriminal activity: malware, malicious configurations, and services. Note that any findings in these directories require expert validation.

The share of incidents affecting internal business processes increased in comparison to 2021–2023 from 32% in the previous reporting period to 50% today. We attributed this to a rise in cyberattacks by hacktivists and financially motivated threat actors who typically demand ransom payments to restore compromised systems. Typically, these attacks are relatively short-lived. The median duration was 15 days, and one-quarter of attacks finished within three days. However, there are exceptions: in one company, attackers began encrypting the data only two years after initially gaining access. If an incident response is delayed, full recovery of the infrastructure after that type of attack could take months.

Every fifth (19%) of are projects detected traces of reconnaissance and espionage. These were typically multi-stage, long-duration attacks by APT groups specializing in cyberespionage, such as Space Pirates, Hellhounds, and Cloud Atlas. The median duration of these attacks was 289 days, with the longest one lasting more than three years.

In 12% of projects, incidents involved cyberattacks designed to quickly exfiltrate confidential data without maintaining presence within the target network. In most cases, this type of cyberattacks involves exfiltrating stolen data to external cloud storage, often using popular services like MEGA. Hackers typically employ publicly accessible tools like Rclone. These incidents lasted 47 days on average.

Nearly a third (31%) of organizations had at least one domain controller compromised as attackers moved laterally through their networks. In one particular case, we discovered a staggering 11 compromised domain controllers within a single organization. By gaining access to a domain controller, attackers can develop the attack by spreading malware to other hosts via global Windows policies.

In addition to these, attackers targeted Microsoft Exchange servers in 18% of cases. In several incidents, we encountered the use of an Exchange SSRF exploit targeting two vulnerabilities in the ProxyShell chain: CVE-2021-34473 and CVE-2021-34523. This script allows for the exfiltration of mailbox contents from a compromised Exchange server, while operating under the highly privileged NT AUTHORITY\SYSTEM account. We have previously shared several exploitation examples on our Telegram channel. In incidents investigated by PT ESC IR, cybercriminals leveraged Exchange SSRF to extract email correspondence and utilized fragments of that data as evidence of the breach to extort ransoms.

During the lateral movement phase of an attack, the adversary also typically targets central security management servers. These have broad network visibility and privileged accounts, making them a prime target for attackers. Malicious actors often use these servers to spread malware and deploy ransomware.

Attackers cover their tracks by removing or modifying indicators of compromise. If an incident spans a long period, some of the associated artifacts may simply be lost due to log rotation or the rebooting (or shutdown) of compromised systems. This makes it difficult to accurately assess the full scope of an incident, and it is not always possible to determine the exact number of affected systems or accounts. However, our estimates suggest that at least ten systems and five accounts were compromised in half of all infrastructures. It is crucial to note that if a domain controller and/or domain administrator credentials are compromised, all user accounts within that domain could be at risk.

As in previous cases, attackers most frequently targeted Windows-based systems. However, note a significant increase in attacks on Linux systems, accounting for 28% of all incidents. We strongly recommend paying closer attention to the security of your Linux hosts if you have any within your infrastructure. This latest data once again proves that the notion of Linux systems being virtually immune to cyberattacks is a mere misconception.

In half (47%) of our projects, we encountered outdated operating systems or software, particularly on network perimeter hosts, and a lack of a structured update process. In 41% of projects, successful attacks were facilitated by the absence of two-factor authentication on the hosts. It is important to note that in some cases, two-factor authentication could have prevented trusted relationship attacks.

In 26% of our projects, we consistently identified shortcomings in endpoint security configurations. Specifically, numerous workstations and servers were found to have antivirus software settings that were inadequate for providing proper protection, or antivirus tools were not deployed across the entire infrastructure.

In 38% of projects, we saw insufficient network segmentation. The lack of effective segmentation can significantly reduce the duration of certain phases of a cyberattack. During the internal reconnaissance phase, a lack of network segmentation allows attackers to gather information about all other hosts from any point within the network and quickly identify priority targets. This enables the compromise of these targets—both key network nodes like domain controllers and more specialized systems that could directly facilitate the attackers' objectives—almost from perimeter hosts. For example, if attackers intend to encrypt or destroy data, a lack of network segmentation significantly simplifies their task, as any host can serve as a centralized point for spreading and launching malware that can reach all required hosts, potentially maximizing the damage.

In almost one-fifth (18%) of our projects, we encountered insecure storage of sensitive information, particularly authentication credentials. In several cases, attackers had gained access to files containing plain text credentials, often stored directly on employees' desktops. Additionally, attackers frequently searched for logins and passwords within internal information systems, such as Confluence.

In 12% of projects, we discovered deficiencies in password policies: easy-to-guess and insufficiently long passwords, including some blank or default ones, for accessing services on the network perimeter, and reuse of credentials across different resources.

Our research into current cyberthreats worldwide, and in the CIS in particular, indicates a yearly increase in the intensity of cyberattacks. Concurrently, there has been a corresponding rise in the number and scope of incident response and retrospective analysis projects undertaken by IR experts with the PT ESC team. Our vast experience demonstrates that numerous security incidents can be mitigated or halted before non-tolerable events occur. To ensure this, we recommend adhering to fundamental cybersecurity principles:

• Use up-to-date operating systems and applications including security systems, and establish processes for vulnerability management and remediation. Watch for trending vulnerabilities in your assets, and set a 24 hour remediation SLA.

• Enforce two-factor authentication for all publicly accessible services, such as VPN and email, and mandate this for all administrative accounts within the corporate network.

• Segment your network and restrict access between segments in line with your business processes. Limit communications within segments with a firewall on hosts for required ports/services.

• Implement a routine backup process for critical assets, and store these backups in an isolated environment. Implement a robust data backup strategy following the 3-2-1 rule.

• Enhance endpoint security with a focus on antivirus protection. All critical servers and workstations must have antivirus software installed and running in continuous monitoring mode. Additionally, we recommend implementing antivirus solutions from multiple vendors capable of detecting the hidden presence of malware and blocking malicious activity in a variety of data streams: email, network, and web traffic, file storage, and websites. 

• Conduct regular audits of the network perimeter to identify vulnerabilities and unused publicly accessible services.

• Avoid storing sensitive data in plain text. We recommend the use of encrypted partitions or containers, which require strong passwords to access, for storing files that contain sensitive information. Use a password manager to store and fill in credentials.

• Set minimum password strength requirements that exclude dictionary words. Protect credentials using Credential Guard.

• Implement centralized collection and long-term (at least year-long) retention of event logs from domain controllers, information security systems, VPNs, and DNS and proxy servers.

We strongly recommend using advanced security tools and technology that have proven effective in thwarting cyberattacks. These include the following:

• Security information and event management (SIEM) systems

• Behavioral network traffic analysis (NTA) systems

• Next-generation firewalls (NGFW)

• Web application firewalls (WAF)

• Sandboxes

• Endpoint detection and response (EDR) and more advanced extended detection and response (XDR) solutions

• Privileged access management (PAM) systems

Stay ahead of cyberthreats and current techniques employed by active threat groups and cybercriminals by following PT ESC Incident Response. Read other teams' posts in the ESCalator Telegram channel and our regular analytical reports on the cyberthreat landscape and trending vulnerabilities. This information will help you to stay one step ahead of cybercrooks and accelerate incident response.