Hackers leverage legitimate tools to gain access in almost 30 per cent of cyber attacks investigated by the cybersecurity firm Kaspersky, according to its new Incident Response Analytics Report.
“Almost a third (30 per cent) of cyberattacks investigated by the Kaspersky Global Emergency Response team in 2019 involved legitimate remote management and administration tools. As a result, attackers can remain undetected for a longer period of time. For instance, continuous cyber-espionage attacks and theft of confidential data had a median duration of 122 days,” the report said.
According to the analysis, cybercriminals are leveraging IT monitoring and administrative tools to attack a company’s IT infrastructure. This makes them more difficult, the analysis said.
“This software allows them to run processes on endpoints, access and extract sensitive information, bypassing various security controls aimed to detect malware,” the report said.
The firm’s analysis of anonymised data put forth 18 legitimate tools that were abused by attackers for malicious purposes. The most popular tool used by cyber attackers was PowerShell, which was used in 25 per cent of cases for various purposes from gathering information to running malware.
PsExec was leveraged in 22 per cent of the attacks, followed by SoftPerfect Network Scanner, which was used in 14 per cent of cases.
“It is more difficult for security solutions to detect attacks conducted with legitimate tools because these actions can be both parts of a planned cybercrime activity or a regular system administrator task,” the report said.
However, malicious actions, even with legitimate software, can sometimes reveal themselves rather quickly.
“To avoid detection and stay invisible in a compromised network for as long as possible, attackers widely used software which is developed for normal user activity, administrator tasks and system diagnostics,” said Konstantin Sapronov, Head of the Global Emergency Response Team at Kaspersky.
“With these tools, attackers can gather information about corporate networks and then conduct lateral movement, change software and hardware settings or even carry out some form of malicious action. For example, they could use legitimate software to encrypt customer data. Legitimate software can also help attackers stay under the radar of security analysts, as they often detect the attack only after the damage has been done,” he said.
He further suggested deployment of proper logging and monitoring systems that can help weed out such malicious activity on a company’s network.
Stephan Neumeier, Managing Director for the Asia Pacific, Kaspersky noted, "The fact that criminals are using legitimate remote access tools to attack a system without being detected for a longer duration, illustrates how important incident detection and response speed becomes while protecting systems from an unknown threat that may be hiding in the network and using a legitimate guise. The number of such successful cyberattacks is as high as 30 per cent, and as such warrants a major concern to CIOs and CISOs, who undertake a huge responsibility of protecting their networks from serious threats like zero-day and ransomware attacks"