According to a quarterly SME threat report compiled by Huntress, more than half of attacks observed in the third quarter were “malware-free”, meaning adversaries used scripting frameworks and legitimate tools instead of deploying malware payloads.

Huntress said this evolution in tradecraft appeared to be linked to a surge in the use of remote monitoring and management (RMM) software tools as a vector for initial access, which it saw in 65 per cent of cases. #

This may bear some connection to the changes in working practice induced by Covid-19.

The most commonly exploited RMM tools used against SMEs included ConnectWise, AnyDesk, NetSupport and TeamViewer.

Using legitimate tools– often referred to as living-off-the-land binaries – or LOLBins – is nothing new. Still, it becomes of particular concern at the SME level, given that such organisations are less likely to have appropriate monitoring or review practices.

Furthermore, because IT admins rely on the same techniques and software, distinguishing legitimate activity from illegitimate activity is harder.

 Huntress threat intelligence manager Joe Slowik said: “Threat actors are evolving their tradecraft to wreak havoc on SMBs, and our goal is to educate them and give them a fighting chance against the ever-evolving adversarial landscape.

Added to the growing LOLBin issue, the report said, the steady trickle-down of cloud services into smaller businesses is placing a huge premium on securing identities as threat actors migrate to the same services to enable operations such as data exfiltration, business email compromise (BEC) and softening up targets for ransomware intrusions.

While the likes of LockBit, BianLian, Royal and ALPHV/BlackCat ransomware make headlines, SMEs are also being subjected to what Huntress called a “long tail” of uncategorised, unknown, or thought-to-be-defunct lockers, which make up 60 per cent of identified incidents in its telemetry.

The report calls for a “profound reassessment” of SME defence strategies and a more nuanced approach to threat detection and response.

“Whereas once upon a time, a small organisation could likely get by with a combination of a good anti-malware solution and spam filtering, the current threat landscape renders these simplistic – if historically reasonably effective – efforts no longer satisfactory,” wrote the report’s authors.

Huntress said MSSPs and SMEs alike needed to do more to extend their visibility and security awareness beyond their perimeters, a path that is already well-trodden among enterprises in the wake of large-scale supply chain incidents.