Application Security

09:00 AM
Connect Directly

Attackers Leverage IT Tools As Cover

The line between attack and defense tools has blurred.

The task of defending enterprises against malicious intruders could become even harder for security managers with attackers beginning to increasingly leverage commonly used IT tools and services to disguise their presence on compromised networks.

Security researchers have for some time observed attack groups using popular services like Dropbox and WordPress as cover for new advanced persistent threat attacks. The DNSCalc gang that attacked The New York Times last year, for instance, used DropBox to distribute their malware and WordPress as a command and control infrastructure for managing infected systems.

More recently, security researchers at Blue Coat Labs and Kaspersky Labs observed the group behind the Inception cyber espionage campaign using a free version of the CloudMe hosting service and a virtual private network to infiltrate systems and control them remotely.

There are signs that attackers are expanding their use of such approaches to evade detection, according to security researchers.

Security and risk consulting company Neohapsis says it has observed a definite blurring of the line between attack and defense tools and techniques in recent times.

In its list of predictions for 2015, the company says it expects hackers to use forensic tools to steal passwords and locate data, and host intrusion detection systems to alert them of suspicious network administrators.

"Sophisticated attacks may even repurpose legitimate security tools entirely," the company predicts. For example, expect to see the centralized patch management system used to distribute malicious code, the local anti-virus to scan processes for credit cards and passwords, and vulnerability scanning systems used to map the entire network. "Advanced attackers will infect the very systems employed to protect us," the company predicts.

The goal increasingly is to try and blend attack behavior with normal behavior in order to evade detection as much as possible, says Marc Maiffret, chief technology officer at privileged account management vendor BeyondTrust.

"There is a trend of attackers leveraging existing system tools to move laterally through an environment," Maiffret said in emailed comments.

Rather than worrying about developing custom code to exploit networks, many have simply begun leveraging existing IT tools and operating system functionality to achieve their goals.  Hackers, he says, have figured out that they need only enough custom tools to exploit the initial entry point. But once they have gained initial access into a network, the effort is to leverage everyday IT tools to make their way across the enterprise network.

The issue is an important one at a time when attackers appear to be increasingly moving away from smash-and-grab raids to low, slow, and decidedly more dangerous data exfiltration campaigns.  The data thefts at Target, Home Depot, and the United States Postal Service are all examples where hackers managed to steal large amounts of data over a period of time by essentially melding into the corporate network and becoming as indistinguishable as possible from normal operations.

In the past, the primary focus of attackers was to compromise, steal from, and exit a victim network in as quick a manner as possible, says Joseph Schumacher, a consultant at Neohapsis.

Now it is more about gaining entry into a corporate network and then defending that access as much as possible.

As part of that effort, attackers are increasingly focusing efforts to build more resilience into their attack infrastructure by taking advantage of cloud services and cached delivery networks like Akamai to distribute malware and to control infected systems.

Just like enterprises tap cloud services for scalability and performance reasons, bad actors have begun taking advance of hosting and virtualization services to build more resilience into their attack infrastructure. "With a service like Amazon they can clone a virtual machine so if you take down one instance they can pop up another almost instantly," Schumacher says.

The overlap doesn't stop there though. Attackers seeking to illicitly expand their access inside an enterprise network also frequently leverage tools commonly used by system administrators for less nefarious purposes.

One example is a tool suite known as Sysinternals that is often used by systems administrators for troubleshooting purposes or for network management purposes, says Waylon Grange, senior malware researcher with Blue Coat. One of the tools in the suite allows anyone with login credentials to launch processes on remote computers, Grange said in emailed comments.

"This ability is a favorite of attackers and administrators alike for obvious reasons," he says. Many antivirus vendors these days even detect the tool as a hacking tool because of its extensive use by attackers.

Similarly, Windows Remote Desktop is another IT feature commonly exploited by attackers to gain remote access to compromised systems, Grange noted. To a lesser degree, tools like tcpdump and Wireshark, which enables network traffic captures, also hold some appeal for attackers, Grange said.

"I've yet to see this in use by malware groups, but I know its usefulness is taught in training courses for pen testers."

The trend by attackers to leverage common IT tools is sure to complicate efforts by security administrators to detect and respond to intrusions. But it is not a game changer so long as administrators are aware of what is going on, says Schumacher.

"I don't see this as tilting the scales one way or the other. It is the same fight but at a different level and using different tactics."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-07-20
camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive ...
PUBLISHED: 2018-07-20
Apache Ignite 2.5 and earlier serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a spe...
PUBLISHED: 2018-07-20
An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.
PUBLISHED: 2018-07-20
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
PUBLISHED: 2018-07-20
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.