A year ago, Sophos X-Ops published our research into threat actor attitudes towards AI. We went into the underground forums to see what they were saying about AI.
At the time, we found threat actors were skeptical, grappling with the same issues, problems, and concerns everyone was.
A year later, we've returned to see what, if anything has changed. Overall, we've seen a slight shift, but the song remains the same overall: skeptical.
Get more details in our latest report here:

https://news.sophos.com/en-us/2025/01/28/update-cybercriminals-still-not-fully-on-board-the-ai-train-yet/
#sophosxops #threatintel #ai

Continue getting ready for the new year with part two of our two part series on “Patch Prioritization.”.

Here we go into #EPSS, #SSVC, #KEV, and other tools and frameworks.

https://news.sophos.com/en-us/2024/12/30/prioritizing-patching-a-deep-dive-into-frameworks-and-tools-part-2-alternative-frameworks

#sophosxops #threatintelligence #patching #patchprioritization

Get ready for the new year by taking time to better understand how to prioritize your patching.

Read understanding #CVSS part one of our two part series on “Patch Prioritization.”.

https://news.sophos.com/en-us/2024/12/27/prioritizing-patching-a-deep-dive-into-frameworks-and-tools-part-1-cvss/

#sophosxops #threatintelligence #patching #patchprioritization

Sophos X-Ops has just released a brand-new Active Adversary Report, covering the first six months of 2024 – a little light holiday reading, as one does. For the first time ever, data from MDR's customer-facing Incident Response team is fully incorporated with data from our dedicated Incident Response team. The result is our largest dataset ever, with 190 entries normalized across 63 fields.

Perhaps the most startling finding of all is that abuse of LOLbins was up, way up, in the first half of the year. The AAR analysis team thought it might be a hallucination brought on by ingesting all that MDR data but... it isn't. The report has details, including what (besides RDP) is getting a workout. (Spoiler: You name it. Some of these attackers are just odd.)

We worked on a great number of ransomware cases in 1H24, as you'd expect. What you might not expect is which ransomware brands were most often involved, especially if you follow the headlines about high-profile law-enforcement activities. The new report looks at how the scene shaped up after the February 2024 LockBit takedown and points out a data pattern that you might not have glimpsed in the usual day-to-day news coverage.

Finally, as AAR stands on the cusp of its sixth year of data (the first AAR was published in 2021, covering 2020 and the then-new IR team), we revisited some of our older investigations -- dwell time, time-to-Active-Directory, and many more. Updated information on these topics and many more is in the report. Enjoy!

https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/

#threatintel #Sophosxops

Sophos X-Ops teams are monitoring and responding to attacks against Cleo products VLTrader, Harmony, and LexiCom prior to version 5.8.0.23 in each as outlined in this advisory: https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending.

Sophos MDR and Labs teams can confirm seeing 50+ unique hosts targeted by these attacks at this time.

All observed impacted customers have a branch or operate within the North Americas, primarily the US. We note the majority of observed affected customers are retail organizations.

Sophos MDR threat hunting currently shows the first attack on 2024-12-06 at 17:47 UTC.

We will continue to monitor and provide updates as we have more information.

#Sophosxops #threatintel

For 5 years, Sophos has been engaged in defensive and counter-offensive operations against China-based #NationState adversaries targeting perimeter devices like #firewalls for surveillance and sabotage.

The attacks unfolded in two waves: the first aimed to build proxy networks, often used by Chinese groups to hide further operations. The second targeted critical infrastructure in South and Southeast Asia.

Sophos uncovered links to groups like Volt Typhoon, APT31, APT41, and Chinese educational institutions. Now, we’re sharing insights from our detailed "Pacific Rim" report to help others defend against these persistent attackers.

Sophos X-Ops is happy to collaborate with others and share additional detailed IOCs on a case-by-case basis.
Contact us via [email protected].

For the full story, please see our landing page: https://www.sophos.com/en-us/content/pacific-rim

#Sophosxops #threatintel

Last week we released our first Active Adversary Report for 2024, covering a selection of Incident Response cases from the last half of 2023. Our analysis found that though the last half of last year was a relatively quiet time in the ongoing struggle between attackers and defenders, the good guys may not be taking full advantage of the lull.

https://news.sophos.com/en-us/2024/04/03/active-adversary-report-1h-2024/

#threatintel #Sophosxops

We have recently found yet another campaign, where AuKill was deployed to attempt disabling EDR agents on the targeted system.

The malware introduced minor changes, specifically by using a custom packer and implementing anti analysis techniques. However, in terms of core functionalities and purpose of the EDRKiller, there are no major differences between the version of AuKill we're seeing in March 2024 and the version we reported on in April 2023.

Therefore, defenders can and should continue to be on the lookout for AuKill and follow our published guidance:

https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

#threatintel #Sophosxops