Savvy Hackers Don't Need MalwareReport: Here's How Attackers Borrow Administrative Tools to Force Entry
When the Democratic National Committee revealed in June that its systems had been compromised for more than a year, a forensic analysis indicated the suspect Russian hackers didn't use a lot of malware. Instead, the attackers often used legitimate tools and utilities to creep throughout the network - the so-called "low and slow" method.
It's a technique that long has caused worry since malware-less lateral movement doesn't usually set off alarm bells. Companies' defensive focus instead has long been on stopping malware so a compromise doesn't occur in the first place.
But if attackers get past that first hurdle, their actions from that point can be hard to detect. The problem is illustrated in a new report from cybersecurity vendor LightCyber.
Over the past six months, the company collected anonymized data from 60 of its customers, who are in verticals such as finance, healthcare, government and telecommunications. Unsurprisingly, many had been compromised by malware. And virtually all of the tools that were used to move through an organization's network weren't actually malware, says David Thompson, senior director of product management.
"We thought we'd find a high percentage of non-malware activity," Thompson says. "It was dominated by non-malware."
The Rise of UEBA
The finding explains why attackers are able to stay in systems for months or even years. In February, FireEye's Mandiant forensics unit said the median number of days between when a company was breached and the attack was discovered was 146 days in 2015. It's an improvement over 2014, when the figure was 205 days, but still an awfully long time.
One idea to close that gap is to quickly spot attackers that at a quick glance may appear legitimate. LightCyber is just one of many security companies that are working on techniques to do this, an area that analyst Gartner refers to as user and entity behavior analytics, or UEBA. By next year, Gartner predicts at least 20 percent of the major security vendors that do some form of user monitoring will incorporate advanced analytics and UEBA into their products.
Attackers often behave much differently than regular users. Once on a network, some hackers noisily stumble around, trying to figure out how a network is constructed and where the sensitive assets may be. Indicators that someone is lurking can include excessive port scans, excessive failed logins and failed attempts to access other devices or ports, according to LightCyber's report.
The tools used by attackers to move around are often already installed. In the Democratic National Committee incident, Crowdstrike found the suspected Russian attackers employed Microsoft's powerful scripting tool, PowerShell. It's installed on virtually all Windows computers. Also used was Windows Management Instrumentation, which is a framework for managing computers across a network (see After Russia Hacks DNC: Surprising Candor).
Thompson said the TeamViewer remote access tool is also a favored method. Sometimes, it has already been installed by employees without permission. TeamViewer has many security features in place that are designed to trigger alerts of logins attempts and suspicious ones, but the company saw a raft of mostly consumers accounts taken over in June (see TeamViewer Bolsters Security After Account Takeovers).
"You want to understand what is being used for remote access and have something in place to monitor that," Thomas says.
The most popular networking and hacking tool LightCyber found across the 60 organizations was Angry IP Scanner, which is an open-source tool for querying IP addresses and ports. The second most popular one was PingInfoView, followed by Nmap, Ping, Mimikatz, Ncrack, Perl, Windows Credential Editor, SmartSniff and PDF Exploit Generator.
All of the tools, of course, are dual-purpose: Security pros use them for their own penetration tests. But when what appear to be regular users suddenly start using these tools - or installing them - it could mean an attacker is on the move.
"In our study, Ping was associated with users generating excessive numbers of failed connections - trying to access resources that did not exist or were not responsive - a clear anomaly indicative of network reconnaissance," LightCyber's report reads.
Top 10 for Lateral Moves
The top 10 administration tools that are used by attackers for lateral movement were SecureCRT, Putty, BeyondExec Remote Service, VMware vSphere Client, MobaXterm, PsExec, PowerShell, Private Shell SSH, Telnet and Xshell.
BeyondExec Remote Service was a surprise finding. Anti-virus vendors classify it as a "potentially unwanted application," which is the industry's nice way of avoiding accusations of slander for tagging an application as malware or spyware. Several of the 60 organizations studied had it installed.
"In one particular network, this application was running on more than 40 hosts, much to the IT team's surprise," the report says.