Almost a third (30%) of the cyberattacks investigated by the Kaspersky Global Emergency Response team in 2019 involved legitimate remote control and management tools. In this way, attackers were able to remain undetected for a longer period of time, spying on or stealing confidential data, with an average duration of 122 days, according to the findings from Kaspersky’s new Incident Response Analysis Report. .
Monitoring and management software helps IT and network administrators perform their everyday tasks, such as troubleshooting and providing employees with technical support. However, cybercriminals can also leverage these legitimate tools during cyberattacks on a company’s infrastructure. This software allows them to run processes on endpoints and access and extract sensitive information, bypassing various security controls aimed to detect malware.
In total, the analysis of anonymized data from incident response (IR) cases showed that 18 various legitimate tools were abused by attackers for malicious purposes. The most widely used was PowerShell (25% of cases). This powerful administration tool can be used for many purposes, from gathering information to running malware. PsExec was leveraged in 22% of the attacks. This console application is intended for launching processes on remote endpoints. This was followed by SoftPerfect Network Scanner (14%), which is intended to retrieve information about network environments.
It is more difficult for security solutions to detect attacks conducted with legitimate tools because these actions can be both part of a planned cybercrime activity or a regular system administrator task.
In the segment of attacks that lasted more than a month, the cyber-incidents had a median duration of 122 days. As they went undetected, cybercriminals could collect victims’ sensitive data.
However, Kaspersky experts note that sometimes malicious actions with legitimate software reveal themselves rather quickly. For example, they are often used in a ransomware attack, and the damage is seen clearly. The median attack duration for short attacks was only one day.
“The number of such successful cyberattacks is as high as 30%, and as such warrants for a major concern to CIOs and CISOs who undertake a huge responsibility of protecting their networks from serious threats like zero-day and ransomware attacks,’ says Stephan Neumeier, Managing Director for Asia Pacific, Kaspersky.
To detect and react to such attacks in a timely manner, among other measures, organizations should consider implementing an Endpoint Detection and Response solution with an MDR service.
To minimize the chances of remote management software being used to penetrate an infrastructure, Kaspersky recommends the following measures:
• Restrict access to remote management tools from external IP addresses. Ensure that remote control interfaces can only be accessed from a limited number of endpoints
• Enforce a strict password policy for all IT systems and deploy multi-factor authentication
• Follow the principle of offering staff limited privileges and grant high-privileged accounts only to those who need this to fulfil their job