Application Security

09:00 AM
Connect Directly

Attackers Leverage IT Tools As Cover

The line between attack and defense tools has blurred.

The task of defending enterprises against malicious intruders could become even harder for security managers with attackers beginning to increasingly leverage commonly used IT tools and services to disguise their presence on compromised networks.

Security researchers have for some time observed attack groups using popular services like Dropbox and WordPress as cover for new advanced persistent threat attacks. The DNSCalc gang that attacked The New York Times last year, for instance, used DropBox to distribute their malware and WordPress as a command and control infrastructure for managing infected systems.

More recently, security researchers at Blue Coat Labs and Kaspersky Labs observed the group behind the Inception cyber espionage campaign using a free version of the CloudMe hosting service and a virtual private network to infiltrate systems and control them remotely.

There are signs that attackers are expanding their use of such approaches to evade detection, according to security researchers.

Security and risk consulting company Neohapsis says it has observed a definite blurring of the line between attack and defense tools and techniques in recent times.

In its list of predictions for 2015, the company says it expects hackers to use forensic tools to steal passwords and locate data, and host intrusion detection systems to alert them of suspicious network administrators.

"Sophisticated attacks may even repurpose legitimate security tools entirely," the company predicts. For example, expect to see the centralized patch management system used to distribute malicious code, the local anti-virus to scan processes for credit cards and passwords, and vulnerability scanning systems used to map the entire network. "Advanced attackers will infect the very systems employed to protect us," the company predicts.

The goal increasingly is to try and blend attack behavior with normal behavior in order to evade detection as much as possible, says Marc Maiffret, chief technology officer at privileged account management vendor BeyondTrust.

"There is a trend of attackers leveraging existing system tools to move laterally through an environment," Maiffret said in emailed comments.

Rather than worrying about developing custom code to exploit networks, many have simply begun leveraging existing IT tools and operating system functionality to achieve their goals.  Hackers, he says, have figured out that they need only enough custom tools to exploit the initial entry point. But once they have gained initial access into a network, the effort is to leverage everyday IT tools to make their way across the enterprise network.

The issue is an important one at a time when attackers appear to be increasingly moving away from smash-and-grab raids to low, slow, and decidedly more dangerous data exfiltration campaigns.  The data thefts at Target, Home Depot, and the United States Postal Service are all examples where hackers managed to steal large amounts of data over a period of time by essentially melding into the corporate network and becoming as indistinguishable as possible from normal operations.

In the past, the primary focus of attackers was to compromise, steal from, and exit a victim network in as quick a manner as possible, says Joseph Schumacher, a consultant at Neohapsis.

Now it is more about gaining entry into a corporate network and then defending that access as much as possible.

As part of that effort, attackers are increasingly focusing efforts to build more resilience into their attack infrastructure by taking advantage of cloud services and cached delivery networks like Akamai to distribute malware and to control infected systems.

Just like enterprises tap cloud services for scalability and performance reasons, bad actors have begun taking advance of hosting and virtualization services to build more resilience into their attack infrastructure. "With a service like Amazon they can clone a virtual machine so if you take down one instance they can pop up another almost instantly," Schumacher says.

The overlap doesn't stop there though. Attackers seeking to illicitly expand their access inside an enterprise network also frequently leverage tools commonly used by system administrators for less nefarious purposes.

One example is a tool suite known as Sysinternals that is often used by systems administrators for troubleshooting purposes or for network management purposes, says Waylon Grange, senior malware researcher with Blue Coat. One of the tools in the suite allows anyone with login credentials to launch processes on remote computers, Grange said in emailed comments.

"This ability is a favorite of attackers and administrators alike for obvious reasons," he says. Many antivirus vendors these days even detect the tool as a hacking tool because of its extensive use by attackers.

Similarly, Windows Remote Desktop is another IT feature commonly exploited by attackers to gain remote access to compromised systems, Grange noted. To a lesser degree, tools like tcpdump and Wireshark, which enables network traffic captures, also hold some appeal for attackers, Grange said.

"I've yet to see this in use by malware groups, but I know its usefulness is taught in training courses for pen testers."

The trend by attackers to leverage common IT tools is sure to complicate efforts by security administrators to detect and respond to intrusions. But it is not a game changer so long as administrators are aware of what is going on, says Schumacher.

"I don't see this as tilting the scales one way or the other. It is the same fight but at a different level and using different tactics."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml
PUBLISHED: 2019-04-22
The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files.
PUBLISHED: 2019-04-22
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to, and 3.32 prior to A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's control...
PUBLISHED: 2019-04-22
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains t...