Attackers are easily sidestepping endpoint detection and response (EDR) and extended detection and response (XDR) defenses, often catching enterprises unaware, according to a new study of cybersecurity threats.
The study of global cyberthreats, by EDR/XDR vendor Trellix, highlighted the danger posed by the emergence of “EDR killer tools” and their use to deliver ransomware or conduct attacks on telecommunications operators. It cited as examples the D0nut ransomware gang, which used an EDR killer to enhance the effectiveness of their attacks, and the Terminator tool developed by Spyboy and used in a new campaign in January 2024 that primarily targeted the telecom sector.
John Fokker, the head of threat intelligence at the Trellix Advanced Research Center, said that he was surprised by how boldly and blatantly some attackers have gotten with such sidestep attacks. “EDR evasion isn’t new, but what was interesting was when we saw an Russia-linked state actor actively leveraging this technique so out in the open,” Fokkeer said.
Matt Harrigan, a VP at Leviathan Security, reviewed the Trellix study and said he was not surprised by the attacks, but that he is surprised by how many enterprise CISOs today are overly reliant on their defenses and explicitly not preparing for EDR/XDR evasion tactics.
“They are overestimating the capabilities of their traditional EDR platforms. These technologies are being disabled and the attacks are successfully occurring,” Harrigan said.
Pointers on protecting EDR
Another security executive, Jon Miller, CEO of Halcyon, gave CISOs some pointers for how to protect their EDR/XDR systems from harm. These evasions typically work from one of three security weaknesses, he said: vulnerable kernel drivers (unpatched known vulnerabilities); registry tampering; and userland API unhooking. “MGM and Caesars, both of them were running EDRs that were subverted,” Miller said, referring to attacks on two Las Vegas casino operators.
Much of the Trellix study explored the changes in various attack methodologies leveraging different malware tools.
“Sandworm Team, historically known for its disruptive cyber operations, has seen a staggering increase in detections by 1,669%,” it said, suggesting that this meant a corresponding increase in attacks by the Russia-linked group, and not just an improvement in detection rates. APT29, a group known for cyber espionage, saw detections increase by 124%, while detections of activity by APT34 and Covellite also rose, by 97% and 85% respectively, hinting at the launch of new campaigns. Groups including Mustang Panda, Turla, and APT28, on the other hand, saw minimal changes in detections. “Noteworthy is the emergence of UNC4698, which saw a 363% increase in detections, suggesting the rise of a potentially significant new player in the APT landscape,” the study said.
It also noted meaningful decreases in detection of activity by groups linked to North Korea (down 82%), Vietnam (down 80%), and India (down 82%), but Fokker said that his team couldn’t determine why. “Unfortunately we haven’t got a clear explanation as to why their activity dropped. There can be a multitude of reasons behind the decrease in detections,” Fokker said.
Targeting Turkey
Detections in threats targeting Turkey increased by 1,458%, translating to a 16% rise in its proportional contribution to the total detections. “This remarkable increase indicates a significant shift in cyber threat focus towards Turkey, possibly reflecting broader geopolitical tensions or specific operational objectives of the APT groups,” the study said.
It also noted an increase in copycat attacks, where malware groups started impersonating other groups: “Following a global law enforcement action, Operation Cronos, Trellix observed imposters pretending to be LockBit, all while the group frantically tried to save face and restore the lucrative operation.”
Overall, the study found that the US remains the most targeted country, followed — for now — by Turkey, Hong Kong, India and Brazil.
There were notable differences in the volume of attacks between industries, too. Trellix saw transportation and shipping as most threatened by ransomware, generating 53% of ransomware detections globally in the fourth quarter of 2023, and 45% in the first quarter of 2024. The finance industry was next most targeted.
“From October 2023 through March 2024, Trellix observed a 17% increase in APT-backed detections compared to the previous six months,” the study said. “This is notable as our last report identified a staggering 50% increase in these detections. The APT ecosystem is fundamentally different from a year ago — more aggressive, cunning, and active.”