SMBs face surge in “malware free” attacks

“Malware free” attacks, attackers’ increased reliance on legitimate tools and scripting frameworks, and BEC scams were the most prominent threats small and medium businesses (SMBs) faced in Q3 2023, says the inaugural SMB Threat Report by Huntress, a company that provides a security platform and services to SMBs and managed service providers (MSPs).

“Malware free” attacks on the rise

Attackers deployed malware in 44% of cases, but the remaining 56% of incidents included use of “living off the land” binaries (LOLBins), scripting frameworks (such as PowerShell) and remote monitoring and management (RMM) software.

“At the SMB level, LOLBin use is especially concerning given the state of monitoring and review for many organizations. Many critical entities—from local school districts to medical offices—may find themselves at best leveraged for cryptomining or botnet purposes, and at worst, the victims of disruptive ransomware,” the researchers noted.

The increased usage of RMM software is also a worrying trend that might be difficult to reverse.

“In 65% of incidents, threat actors used RMM software as a method for persistence or remote access mechanisms following initial access to victim environments,” they said.

RMM tools are widely used legitimate software, so when they are used for intrusion purposes, they can easily evade anti-malware protection and blend into the environment. Also, small organizations rarely audit RMM tool usage.

“In some cases, Huntress has observed adversaries diversifying among several RMM tools, such as using a combination of commercial and open-source items, to ensure redundant access to victim environments,” they noted.

“Therefore, monitoring RMM tool use and deployment within defended or managed environments is an increasingly important security hygiene measure to ensure owners and operators can identify potential malicious installations.”

Additional findings

Both ransomware affiliates and business email compromise (BEC) operators continue to target end-users and leverage phishing.

Notably, 64% of identity-focused attacks SMBs faced in Q3 2023 involved malicious forwarding or other inbox rules, while 24% were associated with logons from unusual or suspicious locations.

“While the ultimate goal of such activity remains, in most cases, BEC, defensive visibility and adversary kill-chain dependencies mean these actions are largely caught at the account takeover (ATO) phase of operations,” they said.

Qakbot-related incidents have been observed declining throughout 2023, and this downward trend is expected to continue.

Also, 60% of ransomware incidents affecting SMBs were attributed to uncategorized, unknown, or “defunct” ransomware strains. This shows a divergence in the type of ransomware commonly spotted in enterprise environments, which are mostly targeted with “known-variant ransomware deployments”.

“Whether for monetization purposes through ransomware or BEC, or potentially even state-directed espionage activity, SMBs remain at risk from a variety of entities,” the researchers added.

“More worryingly, these adversaries are taking advantage of ‘holes’ in our visibility and awareness to subvert or avoid many legacy security controls. Whereas once upon a time, a small organization could likely ‘get by’ with a combination of a good anti-malware solution and spam filtering, the current threat landscape renders these simplistic (if historically reasonably effective) efforts no longer satisfactory.”