Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

09:00 AM
Connect Directly

Attackers Leverage IT Tools As Cover

The line between attack and defense tools has blurred.

The task of defending enterprises against malicious intruders could become even harder for security managers with attackers beginning to increasingly leverage commonly used IT tools and services to disguise their presence on compromised networks.

Security researchers have for some time observed attack groups using popular services like Dropbox and WordPress as cover for new advanced persistent threat attacks. The DNSCalc gang that attacked The New York Times last year, for instance, used DropBox to distribute their malware and WordPress as a command and control infrastructure for managing infected systems.

More recently, security researchers at Blue Coat Labs and Kaspersky Labs observed the group behind the Inception cyber espionage campaign using a free version of the CloudMe hosting service and a virtual private network to infiltrate systems and control them remotely.

There are signs that attackers are expanding their use of such approaches to evade detection, according to security researchers.

Security and risk consulting company Neohapsis says it has observed a definite blurring of the line between attack and defense tools and techniques in recent times.

In its list of predictions for 2015, the company says it expects hackers to use forensic tools to steal passwords and locate data, and host intrusion detection systems to alert them of suspicious network administrators.

"Sophisticated attacks may even repurpose legitimate security tools entirely," the company predicts. For example, expect to see the centralized patch management system used to distribute malicious code, the local anti-virus to scan processes for credit cards and passwords, and vulnerability scanning systems used to map the entire network. "Advanced attackers will infect the very systems employed to protect us," the company predicts.

The goal increasingly is to try and blend attack behavior with normal behavior in order to evade detection as much as possible, says Marc Maiffret, chief technology officer at privileged account management vendor BeyondTrust.

"There is a trend of attackers leveraging existing system tools to move laterally through an environment," Maiffret said in emailed comments.

Rather than worrying about developing custom code to exploit networks, many have simply begun leveraging existing IT tools and operating system functionality to achieve their goals.  Hackers, he says, have figured out that they need only enough custom tools to exploit the initial entry point. But once they have gained initial access into a network, the effort is to leverage everyday IT tools to make their way across the enterprise network.

The issue is an important one at a time when attackers appear to be increasingly moving away from smash-and-grab raids to low, slow, and decidedly more dangerous data exfiltration campaigns.  The data thefts at Target, Home Depot, and the United States Postal Service are all examples where hackers managed to steal large amounts of data over a period of time by essentially melding into the corporate network and becoming as indistinguishable as possible from normal operations.

In the past, the primary focus of attackers was to compromise, steal from, and exit a victim network in as quick a manner as possible, says Joseph Schumacher, a consultant at Neohapsis.

Now it is more about gaining entry into a corporate network and then defending that access as much as possible.

As part of that effort, attackers are increasingly focusing efforts to build more resilience into their attack infrastructure by taking advantage of cloud services and cached delivery networks like Akamai to distribute malware and to control infected systems.

Just like enterprises tap cloud services for scalability and performance reasons, bad actors have begun taking advance of hosting and virtualization services to build more resilience into their attack infrastructure. "With a service like Amazon they can clone a virtual machine so if you take down one instance they can pop up another almost instantly," Schumacher says.

The overlap doesn't stop there though. Attackers seeking to illicitly expand their access inside an enterprise network also frequently leverage tools commonly used by system administrators for less nefarious purposes.

One example is a tool suite known as Sysinternals that is often used by systems administrators for troubleshooting purposes or for network management purposes, says Waylon Grange, senior malware researcher with Blue Coat. One of the tools in the suite allows anyone with login credentials to launch processes on remote computers, Grange said in emailed comments.

"This ability is a favorite of attackers and administrators alike for obvious reasons," he says. Many antivirus vendors these days even detect the tool as a hacking tool because of its extensive use by attackers.

Similarly, Windows Remote Desktop is another IT feature commonly exploited by attackers to gain remote access to compromised systems, Grange noted. To a lesser degree, tools like tcpdump and Wireshark, which enables network traffic captures, also hold some appeal for attackers, Grange said.

"I've yet to see this in use by malware groups, but I know its usefulness is taught in training courses for pen testers."

The trend by attackers to leverage common IT tools is sure to complicate efforts by security administrators to detect and respond to intrusions. But it is not a game changer so long as administrators are aware of what is going on, says Schumacher.

"I don't see this as tilting the scales one way or the other. It is the same fight but at a different level and using different tactics."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.
PUBLISHED: 2019-07-16
Norton Password Manager, prior to, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal.
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).