Tools used by the IT administrative staff of firms to provide employees with technical support are increasingly being used by cybercriminals to launch attacks on company infrastructure, a report by cybersecurity firm Kaspersky’s Global Emergency Response team said.
Almost a third (30%) of cyber attacks investigated by the Kaspersky Global Emergency Response team in 2019 involved legitimate remote management and administration tools, Kaspersky’s new Incident Response Analytics Report found.
This should be of major concern to CIOs (Chief Information Officers) of companies.
Monitoring and management software help IT and network administrators perform their everyday tasks, such as troubleshooting. However, cybercriminals also make use of them to mount cyber attacks on a company’s infrastructure. The software allows them to run processes and access and extract sensitive information, bypassing various security controls aimed at detecting malware, Kaspersky said in a statement.
“To avoid detection and stay invisible in a compromised network for as long as possible, attackers widely used software that is developed for normal user activity, administrator tasks and system diagnostics,” Kaspersky’s Head of Global Emergency Response Team Konstantin Sapronov said, based on findings of the report.
It is difficult for security software to detect attacks perpetrated with legitimate tools as these actions could be either a cybercrime activity or a regular system administrator task, the company’s statement said. The attack is often detected only after the damage has been done.
While it is not possible for companies to exclude the use of these tools for many reasons, Sapronov said that properly deployed logging and monitoring systems would help detect suspicious activity in the network and complex attacks at early stages.
To minimise the chances of remote management software being used to penetrate infrastructure, Kaspersky has some recommendations.
•Restrict access to remote management tools from external IP addresses. Ensure that remote control interfaces can only be accessed from a limited number of endpoints.
•Enforce a strict password policy for all IT systems and deploy multi-factor authentication.
•Follow the principle of offering staff limited privileges and grant high-privileged accounts only to those who need them to fulfil their job.
As for which software tools were most widely used in the attacks, analysis of anonymised data from incident response cases showed that 18 different legitimate tools were abused by attackers including PowerShell in 25 per cent of cases, PsExec (22%) and SoftPerfect Network Scanner (14%), the Kaspersky report quoted in the statement said.