Beware! Cyber Attackers Now Disguise In Legitimate Tools

Cyber-attacks have evolved thus sophisticated over time that they can remain undetected for a longer period of time.

A Kaspersky Global Emergency Response team of 2019 that involved legitimate remote management and administration tools noted that almost a third (30 percent) of all cyberattacks investigated were disguised as legitimate tools.

“To avoid detection and stay invisible in a compromised network for as long as possible, attackers widely use software which is developed for normal user activity, administrative tasks, and system diagnostics,” said a cybersecurity expert at Kaspersky. “With these tools, attackers can gather information about corporate networks and then conduct lateral movement, change software and hardware settings or even carry out some form of malicious action.”

Monitoring and management software helps IT and network administrators perform their everyday tasks, such as troubleshooting and providing employees with technical support. However, cybercriminals can also leverage these legitimate tools during cyberattacks on a company’s infrastructure.

This software allows them to run processes on endpoints, access, and extract sensitive information, bypassing various security controls aimed to detect malware. Kaspersky’s new Incident Response Analytics Report reveals that continuous cyber-espionage attacks and theft of confidential data had a median duration of 122 days!

In total, the analysis of anonymised data from incident response (IR) cases showed that 18 various legitimate tools were abused by attackers for malicious purposes. The most widely used tool being PowerShell (25 percent of the cases).

A powerful administration tool, PowerShell can be used for many purposes, from gathering information to running malware.

PsExec was found to have been used in 22 percent of the attacks. This console application is intended for launching processes on remote endpoints. It was followed by SoftPerfect Network Scanner that stood at 14 percent, which is intended to retrieve information about network environments.

“It is more difficult for security solutions to detect attacks conducted with legitimate tools because the actions can both be planned cybercrime activity or a regular system administrator task,” added the security expert. “For instance, in the segment of attacks that lasted more than a month, the cyber-incidents had a median duration of 122 days. As they were undetected, cybercriminals could collect victims’ sensitive data.

However, the expert notes that sometimes malicious actions with legitimate software reveal themselves rather quickly. For example, when they are used in a ransomware attack and the damage is seen clearly. The median attack duration for such short attacks was found to be one day.

“Legitimate software can help attackers stay under the radar of security analysts, as they often detect the attack only after damage has been done. It is not possible to exclude these tools for many reasons, however, properly deployed logging and monitoring systems will help to detect suspicious activity in the network and complex attacks at earlier stages,” comments Konstantin Sapronov, Head of Global Emergency Response Team at Kaspersky.

To detect and react to such attacks in a timely manner, Sapronov avers that organisations should consider implementing an Endpoint Detection and Response solution with an MDR service. To minimise the chances of remote management software being used to penetrate an infrastructure,  he recommends the following measures:

• Restrict access to remote management tools from external IP addresses. Ensure that remote control interfaces can only be accessed from a limited number of endpoints
• Enforce a strict password policy for all IT systems and deploy multi-factor authentication
• Follow the principle of offering staff limited privileges and grant high-privileged accounts only to those who need it.