Attackers Leverage IT Tools As Cover

The task of defending enterprises against malicious intruders could become even harder for security managers with attackers beginning to increasingly leverage commonly used IT tools and services to disguise their presence on compromised networks.

Security researchers have for some time observed attack groups using popular services like Dropbox and WordPress as cover for new advanced persistent threat attacks. The DNSCalc gang that attacked The New York Times last year, for instance, used DropBox to distribute their malware and WordPress as a command and control infrastructure for managing infected systems.

More recently, security researchers at Blue Coat Labs and Kaspersky Labs observed the group behind the Inception cyber espionage campaign using a free version of the CloudMe hosting service and a virtual private network to infiltrate systems and control them remotely.

There are signs that attackers are expanding their use of such approaches to evade detection, according to security researchers.

Security and risk consulting company Neohapsis says it has observed a definite blurring of the line between attack and defense tools and techniques in recent times.

In its list of predictions for 2015, the company says it expects hackers to use forensic tools to steal passwords and locate data, and host intrusion detection systems to alert them of suspicious network administrators.

"Sophisticated attacks may even repurpose legitimate security tools entirely," the company predicts. For example, expect to see the centralized patch management system used to distribute malicious code, the local anti-virus to scan processes for credit cards and passwords, and vulnerability scanning systems used to map the entire network. "Advanced attackers will infect the very systems employed to protect us," the company predicts.

The goal increasingly is to try and blend attack behavior with normal behavior in order to evade detection as much as possible, says Marc Maiffret, chief technology officer at privileged account management vendor BeyondTrust.

"There is a trend of attackers leveraging existing system tools to move laterally through an environment," Maiffret said in emailed comments.

Rather than worrying about developing custom code to exploit networks, many have simply begun leveraging existing IT tools and operating system functionality to achieve their goals.  Hackers, he says, have figured out that they need only enough custom tools to exploit the initial entry point. But once they have gained initial access into a network, the effort is to leverage everyday IT tools to make their way across the enterprise network.

The issue is an important one at a time when attackers appear to be increasingly moving away from smash-and-grab raids to low, slow, and decidedly more dangerous data exfiltration campaigns.  The data thefts at Target, Home Depot, and the United States Postal Service are all examples where hackers managed to steal large amounts of data over a period of time by essentially melding into the corporate network and becoming as indistinguishable as possible from normal operations.

In the past, the primary focus of attackers was to compromise, steal from, and exit a victim network in as quick a manner as possible, says Joseph Schumacher, a consultant at Neohapsis.

Now it is more about gaining entry into a corporate network and then defending that access as much as possible.

As part of that effort, attackers are increasingly focusing efforts to build more resilience into their attack infrastructure by taking advantage of cloud services and cached delivery networks like Akamai to distribute malware and to control infected systems.

Just like enterprises tap cloud services for scalability and performance reasons, bad actors have begun taking advance of hosting and virtualization services to build more resilience into their attack infrastructure. "With a service like Amazon they can clone a virtual machine so if you take down one instance they can pop up another almost instantly," Schumacher says.

The overlap doesn't stop there though. Attackers seeking to illicitly expand their access inside an enterprise network also frequently leverage tools commonly used by system administrators for less nefarious purposes.

One example is a tool suite known as Sysinternals that is often used by systems administrators for troubleshooting purposes or for network management purposes, says Waylon Grange, senior malware researcher with Blue Coat. One of the tools in the suite allows anyone with login credentials to launch processes on remote computers, Grange said in emailed comments.

"This ability is a favorite of attackers and administrators alike for obvious reasons," he says. Many antivirus vendors these days even detect the tool as a hacking tool because of its extensive use by attackers.

Similarly, Windows Remote Desktop is another IT feature commonly exploited by attackers to gain remote access to compromised systems, Grange noted. To a lesser degree, tools like tcpdump and Wireshark, which enables network traffic captures, also hold some appeal for attackers, Grange said.

"I've yet to see this in use by malware groups, but I know its usefulness is taught in training courses for pen testers."

The trend by attackers to leverage common IT tools is sure to complicate efforts by security administrators to detect and respond to intrusions. But it is not a game changer so long as administrators are aware of what is going on, says Schumacher.

"I don't see this as tilting the scales one way or the other. It is the same fight but at a different level and using different tactics."