RSAC insights: Sophos report dissects how improved tools, tactics stop ransomware attack

By Byron V. Acohido

A new report from Sophos dissects how hackers spent two weeks roaming far-and-wide through the modern network of a large enterprise getting into a prime position to carry out what could’ve been a devasting ransomware attack.

Related: DHS embarks on 60-day cybersecurity sprints

This detailed intelligence about a ProxyLogon-enabled attack highlights how criminal intruders are blending automation and human programming skills to great effect. However, in this case, at least, they were detected and purged before hitting paydirt, demonstrating something that doesn’t get discussed often enough.

Enterprises actually have access to plenty of robust security technology, as well as proven tactics and procedures, to detect and defuse even leading-edge, multi-layered attacks. It’s clear to me that cybersecurity technical innovation and supporting frameworks, which includes wider threat intelligence sharing, are taking hold and making a material difference, albeit incrementally.

I had a lively discussion with Dan Schiappa, Sophos’ chief product officer, about this. For a drill down, please give the accompanying podcast a listen. Here are the key takeaways:

Exploit surge

ProxyLogon refers to the critical vulnerability discovered in Microsoft Exchange mail servers early this year. Criminal hacking rings have been hammering away at this latest of a long line of zero-day flaws discovered in a globally distributed system. The pattern is all too familiar: they marshal their hacking infrastructure to take advantage of the window of time when there is a maximum number of vulnerable systems just begging to be hacked.

ProxyLogon ignited a surge of malicious attempts to compromise Exchange servers by hacking rings looking to carry out cyber espionage, run ransomware extortions and conduct cryptomining. A surge in ProxyLogon attacks spiked in February and March and has yet to fully abate.

Microsoft has been doing everything it can to promote the timely patching of some 400,000 Exchange servers worldwide that exhibit the ProxyLogon flaw. But patching is never easy; many thousands of Exchange servers will go unpatched for many more months. A good number may never get patched.

It is a sign of the times that even before Microsoft issued an emergency security patch, the global hacking community, both white hats and black hats, knew all about ProxyLogon. In fact, even as Microsoft was scrambling to develop a patch one criminal ring, Hafnium, was busy scaling up their distribution of a potent exploit.

Thanks to intelligence shared by the non-profit Shadowserver security research organization we now know that Hafnium was able to compromise 68,500 Exchange servers – before Microsoft issued a patch on Feb. 27. Hafnium is just one of dozens of hacking gangs having a field day exploiting ProxyLogon.

Good guys prevail

As this chaos was ramping up, Sophos stepped in to assist one large organization which has 15,000 endpoints distributed in operations across North America. Intruders had achieved a foothold on one unpatched Exchange server at this particular enterprise. From there the hackers moved laterally.

Over the course of 14 days they installed an array of malware deep inside the firewall. They were able to take control of multiple systems to steal account credentials, compromise domain controllers, and retain remote access to key hacked machines.

“They used very nation state-like tactics, from a ransomware perspective,” Schiappa told me. “They used very aggressive hands-on hacking, making use of traditional IT tools, and they coupled that with the use of traditional hacking tools, like Cobalt Strike, for example. So it was a combination of ‘living-off-the-land,’ making use of commercial utilities they found already in place, as well as deploying traditional types of malware.”

Sophos helped the enterprise’s security team catch up to what these hackers were doing and curtail the attack before they could achieve their ultimate objective, which was to put themselves in a position to demand a hefty ransom.

This brings up a point: for every massive data breach or high-profile ransomware caper that grabs headlines, I’m starting to hear about more instances like this, where the good guys prevail. True enough, cyber attacks are steadily becoming more sophisticated across the board and the attack surface continues to expand as digital transformation accelerates.

At the same time, more organizations are taking cyber risk mitigation as seriously as they should. Security teams are collaborating more efficiently with the operations and finance sides of the house, and senior management is communicating more effectively with the board, and it shows. Enterprises have made it a priority to get more out of their legacy security systems, and have also begun to embrace fresh security frameworks and use smarter tactics more consistently.

Innovation evolution

From the tools side of the equation, technology innovation certainly has never been lacking. This has remained a constant in the two decades I’ve been reporting on privacy and cybersecurity. And that remains as true as ever as RSA Conference 2021 convenes virtually this week and next week.


“We hear a lot about the sophisticated capabilities of the adversaries, we also have had a tendency to lose track of how far our defensive capabilities have come, as well,” Schiappa says.

Case in point: Sophos began as a leading supplier of antivirus (AV) software, and, like several other big AV vendors, naturally transitioned into supplying Endpoint Detection and Response (EDR) systems. Over the past five years, EDR has become an entrenched part of enterprise network defenses. Yet a Forrester report I just read posits that “EDR is dead,” to be supplanted by something called XDR, for Extended Detection and Response.

A year ago, XDR was freshly coined, one of many subtopics at RSA 2020; this year, at RSA 2021, it’s a headliner. Indeed, Sophos introduced its XDR solution last week, though Schiappa told me Sophos has no plans to sunset its EDR service. EDR continues to prove itself as an essential layer of protection for PCs and servers and XDR simply extends this layer to firewalls, email servers, smartphones and IoT devices, he explains.

“XDR opens the aperture to look beyond just endpoints and servers,” Schiappa says. “You want to look at everything because we’re seeing more attacks on cloud infrastructure. One of the most common things we see is attacks on over-privileged cloud instances. People who don’t necessarily need full access have it anyway, and when their identities get compromised, now an adversary gains access to your critical cloud infrastructure.”

EDR is only dying in the sense that it is becoming a subset of XDR, Schiappa told me. This is an encouraging advance, another signal that technology innovation is keeping pace. RSA 2021 is overflowing with examples of cybersecurity vendors striving to leverage machine and human capabilities in smarter ways. Incremental gains are being made. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone