The latest research titled “An Insider View into the Increasingly Complex Kingminer Botnet” of security software company Sophos underscores the use of servers by cybercriminals in carrying out attacks. It also found the importance of threat intelligence in detecting such activity.

By following the opportunistic Kingminer botnet in its attempts to gain server access by brute-forcing login credentials Sophos now finds that it’s using the infamous EternalBlue exploit in an attempt to spread malware among other attack mechanisms.

According to Sophos’ research, Kingminer shares many of the attributes that advanced ransomware attackers use to gain access including the need for Endpoint Detection and Response (EDR) with the ability to hunt active attacks. As firm recently discovered in its “State of Ransomware 2020 survey,” only 24% of organizations breached in a ransomware incident were able to detect the intrusion and stop it before it was able to encrypt their files.

Mapua partners with Sophos in offering cybersecurity courses

Sophos uncovers new version of Snatch ransomware

“Cybercriminals are raising the stakes, stopping at nothing to capitalize on expanded attack surfaces as organizations increasingly move to the cloud and enable remote workforces,” said Dan Schiappa, chief product officer, Sophos. “Servers and other endpoints are all too insufficiently protected, creating vulnerable entry points that are ripe for attackers to exploit.”

Updated EDR

In response to these new strategies, Sophos made significant advancements and new capabilities to its EDR to make it faster and easier than ever before. The recently updated EDR is the first solution designed for both security analysts and IT administrators so they can quickly identify and neutralize evasive threats and proactively maintain secure IT operations to reduce risk.

“Sophos EDR helps identify these attacks, preventing breaches and shining a light on otherwise dark areas,” said Schiappa. “Live querying capabilities only available with Sophos EDR in Intercept X enable organizations to search for past indicators of compromise and determine the current system state. This level of intelligence is critical in understanding changing attacker behaviors and reducing attacker dwell time.”

Sophos’ new EDR capabilities help security and IT teams detect threats and breaches that could otherwise take months to uncover. The new version of Sophos EDR offers a custom-built query engine to detect indicators of compromise.

Sophos EDR now provides powerful visibility across an organization’s entire estate, enabling security and IT practitioners to quickly answer critical threat hunting and IT security operations questions, and easily respond.

New features include:

Live Discover: Pinpoint past and present activity with up to 90 days of data retention. Out-of-the-box ready SQL queries allow administrators to answer threat hunting and IT questions and can be selected from a library of pre-written options and fully customized by users. This flexible query engine provides access to some of the most granular and detailed endpoint activity recordings that are further enhanced with Sophos’ deep learning technology

Live Response: Remotely respond and access endpoints and servers using a command-line interface to perform further investigation and remediate issues; easily reboot devices, install and uninstall software, terminate active processes, run scripts, edit configuration files, run forensic tools, isolate machines, and more

Sophos EDR is powered by Sophos’ deep learning neural network, which is trained on hundreds of millions of samples to look for threat indicators. Security analysts and IT administrators also gain on-demand access to curated threat intelligence from SophosLabs, which tracks, deconstructs, and analyzes more than 400,000 malware samples every day.

Available now in Sophos Intercept X Advanced with EDR and Intercept X Advanced for Server with EDR at no added cost.