ctipilot.ch

Sophos 2026 Active Adversary Report

report · report:sophos-active-adversary-2026 single-source

Sophos 2026 Active Adversary Report — identity-dominant root causes; Impacket/AnyDesk

Coverage timeline
2
first 2026-06-01 → last 2026-06-03
Entries
2
2 distinct days
Sources cited
1
1 hosts
Sections touched
2
research, weekly-annual-reports
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-06-03Sophos 2026 Active Adversary Report: identity is the dominant intrusion root cause
    researchSophos 2026 Active Adversary Report: identity is the dominant intrusion root cause
  2. 2026-06-01Sophos 2026 Active Adversary Report — identity the dominant intrusion root cause; Impacket and AnyDesk most-observed post-exploitation
    weekly-annual-reportsSophos 2026 Active Adversary Report — identity the dominant intrusion root cause; Impacket and AnyDesk most-observed post-exploitation

Where this entity is cited

  • weekly-annual-reports1
  • research1

Source distribution

  • sophos.com1 (100%)

Related entities

Entries about Sophos 2026 Active Adversary Report (2)

2026-06-03 · view entry permalink →

Sophos 2026 Active Adversary Report: identity is the dominant intrusion root cause

notable annual-report discovered 2026-06-03 05:00 UTC single-source

Sophos published its 2026 Active Adversary Report (drawing on 661 IR/MDR cases) on 2026-06-02 (Sophos X-Ops, 2026-06-02). Per PD-9 this report gets one treatment; the findings that change defender priorities rather than the survey scorecard: identity-based compromise — stolen/valid credentials, brute force, and phishing — was the leading root cause, and missing or misconfigured MFA was present in a majority of incidents. Time from initial access to Active Directory compromise has compressed materially, with Impacket among the most frequently observed post-exploitation toolkits and AnyDesk the most-abused legitimate remote-access tool. The recurring telemetry blind spots are the actionable part: firewall logs were missing in roughly half of ransomware cases, and a meaningful share of compromised Windows Servers were running end-of-life builds. [SINGLE-SOURCE] (vendor IR telemetry report).

Why it matters to us: The hunt targets generalise directly to public-sector AD estates — alert on Impacket artefacts (impacket-* tool names in process trees, secretsdump-style NTDS access, SMBExec/WMIExec parent processes), instrument the initial-access-to-DC-compromise window, inventory EOL Windows Servers, and verify firewall log retention before an incident rather than during one.

ransomware identity organized-crime global

2026-06-01 · view entry permalink →

Sophos 2026 Active Adversary Report — identity the dominant intrusion root cause; Impacket and AnyDesk most-observed post-exploitation

notable annual-report discovered 2026-06-01 05:00 UTC single-source

Published 2 June (Sophos X-Ops; drawing on 661 IR/MDR cases; daily 2026-06-03). The findings that directly shift defender priorities: identity-based compromise — stolen/valid credentials, brute force, phishing — is the leading intrusion root cause, with missing or misconfigured MFA present in a majority of incidents. Time from initial access to Active Directory compromise has compressed materially. Impacket is among the most frequently observed post-exploitation toolkits; AnyDesk is the most-abused legitimate remote-access tool, consistent with this week's Luna Moth tradecraft. The recurring telemetry blind spots are the load-bearing findings: firewall logs were missing in roughly half of ransomware cases, and a meaningful share of compromised Windows Servers were running end-of-life builds. Practical hunt targets: alert on Impacket artefacts (impacket-named tool processes, secretsdump-style NTDS access, SMBExec/WMIExec parent processes); instrument the initial-access-to-DC-compromise window; inventory EOL Windows Servers; verify firewall log retention is complete before an incident, not during one. This is a single-vendor IR report; treat findings as directionally correct rather than statistically definitive without independent corroboration. [SINGLE-SOURCE]

ransomware identity organized-crime global