![]() With every new technology, bad actors will find a way to use it for their own nefarious purposes. A blunt-instrument approach such as blocking the service or tool doesn’t work in these kinds of cases.Īnd this problem isn’t going away. Stay VigilantĪttacks that leverage legitimate software and infrastructure present a particular challenge for both defenders and organizations. For example, multiple state-sponsored groups have used legitimate cloud infrastructure such as Google Drive, Dropbox, OneDrive, and others for command-and-control (C&C) infrastructure and to exfiltrate and store stolen data. It’s not just legitimate tools that are used for malicious purposes by ransomware actors. PDQ Deploy, a tool that sysadmins use to apply patches, is also often abused by attackers, who use it to drop scripts onto victim networks quite efficiently. In this particular case, attackers used Rclone to exfiltrate files because their earlier attempt to exfiltrate data, using their own custom ExMatter tool, had failed because it was blocked by security software.ĪdFind, a legitimate free command-line query tool that can be used for gathering information from Active Directory, is also frequently used by ransomware attackers, who use it to map a network. Rclone, a legitimate tool for managing content in the cloud, was also used in a Noberus attack recently. These tools are commonly used legitimately by IT departments in small, midsize, and large organizations. As recently as February this year, the Symantec Threat Hunter team saw ConnectWise used in both Noberus and Royal ransomware attacks. In fact, the use of RMM software by malicious actors was considered serious enough for the Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert about this kind of. The legitimate tools we most commonly see being used by malicious actors are remote monitoring and management (RMM) tools, such as AnyDesk, Atera, TeamViewer, ConnectWise, and more. This means less-skilled hackers may still be able to conduct quite wide-ranging and disruptive attacks. Legitimate software misuse also can make attribution of an attack more difficult, and these tools can also lower barriers to entry. ![]() Leveraging legitimate software can allow attackers’ activity to remain hidden, which may allow them to achieve their goals on a victim network without being discovered. First is a desire for stealthiness - they’re trying to get into and out of networks as quickly as possible without being discovered. Ransomware actors, like threat actors in general, are abusing legitimate software for a number of reasons. Ransomware attacks remain a major cybersecurity problem. ![]() Staying Under the Radar: Why Abuse Is Rampant In fact, we rarely see a ransomware attack that doesn’t use legitimate software. For example, the particularly heavy use of legitimate software tools in ransomware attack chains has been notable in recent times. ![]() When discussing ransomware groups, too often the focus is on their names, such as Noberus, Royal or AvosLocker, rather than the tactics, techniques, and procedures (TTPs) used in an attack before ransomware is deployed. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |