Application Security

09:00 AM
Connect Directly

Attackers Leverage IT Tools As Cover

The line between attack and defense tools has blurred.

The task of defending enterprises against malicious intruders could become even harder for security managers with attackers beginning to increasingly leverage commonly used IT tools and services to disguise their presence on compromised networks.

Security researchers have for some time observed attack groups using popular services like Dropbox and WordPress as cover for new advanced persistent threat attacks. The DNSCalc gang that attacked The New York Times last year, for instance, used DropBox to distribute their malware and WordPress as a command and control infrastructure for managing infected systems.

More recently, security researchers at Blue Coat Labs and Kaspersky Labs observed the group behind the Inception cyber espionage campaign using a free version of the CloudMe hosting service and a virtual private network to infiltrate systems and control them remotely.

There are signs that attackers are expanding their use of such approaches to evade detection, according to security researchers.

Security and risk consulting company Neohapsis says it has observed a definite blurring of the line between attack and defense tools and techniques in recent times.

In its list of predictions for 2015, the company says it expects hackers to use forensic tools to steal passwords and locate data, and host intrusion detection systems to alert them of suspicious network administrators.

"Sophisticated attacks may even repurpose legitimate security tools entirely," the company predicts. For example, expect to see the centralized patch management system used to distribute malicious code, the local anti-virus to scan processes for credit cards and passwords, and vulnerability scanning systems used to map the entire network. "Advanced attackers will infect the very systems employed to protect us," the company predicts.

The goal increasingly is to try and blend attack behavior with normal behavior in order to evade detection as much as possible, says Marc Maiffret, chief technology officer at privileged account management vendor BeyondTrust.

"There is a trend of attackers leveraging existing system tools to move laterally through an environment," Maiffret said in emailed comments.

Rather than worrying about developing custom code to exploit networks, many have simply begun leveraging existing IT tools and operating system functionality to achieve their goals.  Hackers, he says, have figured out that they need only enough custom tools to exploit the initial entry point. But once they have gained initial access into a network, the effort is to leverage everyday IT tools to make their way across the enterprise network.

The issue is an important one at a time when attackers appear to be increasingly moving away from smash-and-grab raids to low, slow, and decidedly more dangerous data exfiltration campaigns.  The data thefts at Target, Home Depot, and the United States Postal Service are all examples where hackers managed to steal large amounts of data over a period of time by essentially melding into the corporate network and becoming as indistinguishable as possible from normal operations.

In the past, the primary focus of attackers was to compromise, steal from, and exit a victim network in as quick a manner as possible, says Joseph Schumacher, a consultant at Neohapsis.

Now it is more about gaining entry into a corporate network and then defending that access as much as possible.

As part of that effort, attackers are increasingly focusing efforts to build more resilience into their attack infrastructure by taking advantage of cloud services and cached delivery networks like Akamai to distribute malware and to control infected systems.

Just like enterprises tap cloud services for scalability and performance reasons, bad actors have begun taking advance of hosting and virtualization services to build more resilience into their attack infrastructure. "With a service like Amazon they can clone a virtual machine so if you take down one instance they can pop up another almost instantly," Schumacher says.

The overlap doesn't stop there though. Attackers seeking to illicitly expand their access inside an enterprise network also frequently leverage tools commonly used by system administrators for less nefarious purposes.

One example is a tool suite known as Sysinternals that is often used by systems administrators for troubleshooting purposes or for network management purposes, says Waylon Grange, senior malware researcher with Blue Coat. One of the tools in the suite allows anyone with login credentials to launch processes on remote computers, Grange said in emailed comments.

"This ability is a favorite of attackers and administrators alike for obvious reasons," he says. Many antivirus vendors these days even detect the tool as a hacking tool because of its extensive use by attackers.

Similarly, Windows Remote Desktop is another IT feature commonly exploited by attackers to gain remote access to compromised systems, Grange noted. To a lesser degree, tools like tcpdump and Wireshark, which enables network traffic captures, also hold some appeal for attackers, Grange said.

"I've yet to see this in use by malware groups, but I know its usefulness is taught in training courses for pen testers."

The trend by attackers to leverage common IT tools is sure to complicate efforts by security administrators to detect and respond to intrusions. But it is not a game changer so long as administrators are aware of what is going on, says Schumacher.

"I don't see this as tilting the scales one way or the other. It is the same fight but at a different level and using different tactics."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-09-24
Multiple SQL injection vulnerabilities in the login page in RXTEC RXAdmin UPDATE 06 / 2012 allow remote attackers to execute arbitrary SQL commands via the (1) loginpassword, (2) loginusername, (3) zusatzlicher, or (4) groupid parameter to index.htm, or the (5) rxtec cookie to index.htm.
PUBLISHED: 2018-09-24
A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable...
PUBLISHED: 2018-09-24
Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
PUBLISHED: 2018-09-24
A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
PUBLISHED: 2018-09-24
An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file.