Sophisticated attackers increasingly use little or no malware to compromise and steal data from their targets, according to an alert posted by managed security services firm Dell Secureworks on Sept. 2.
Instead, in nearly every intrusion investigated by security analysts at the company in the past year, the attackers used compromised credentials to gain entry into the network and legitimate administrator tools to move from system to system, the alert stated. Attackers used little or no malware, the firm said.
Such attacks will dodge the defenses of companies whose defenses focus on detecting attacks by recognizing the attacker's malware, Phil Burdette, senior security researcher for Dell Secureworks, told eWEEK.
“There are a lot of legitimate system tools that employees use to conduct daily operations and those same tools can be used by the adversaries,” he said. “The challenge then becomes to discern between legitimate administrator activity and the behavior of an adversary.”
Dell Secureworks described three attacks in general terms, highlighting how an attacker does not have to use malicious software to accomplish their mission. In one case, the attackers nabbed an employee’s credentials to log into the manufacturer’s Citrix system. Because the company did not implement two-factor authentication the attackers were able to easily log into the network. The attackers also used an administration tool to distribute patches to further the compromise.
A second attack applied a similar modus operandi, using stolen Citrix credentials to log into the network and observe activities. The attackers used a central management server, which is used to distribute antivirus updates, to push malware to the endpoints.
These sorts of attacks are not new. They harken back to the early days of computer hacking. In the 1980s, most hackers found ways into systems and networks using stolen or cracked credentials. Once inside the network, they used administrator tools or exploits to accomplish their goals.
More recently, Dell Secureworks warned in May for companies to be on the lookout for attackers using stolen credentials to break into networks and existing administrator tools to move from machine to machine. Since the intruders used only the tools they could find locally, and eschewed malware, Dell Secureworks researchers termed the technique “living off the land.”
An attack on a pharmaceutical maker, the third case highlighted by Dell Secureworks, used no malware. Initially, the attacker convinced a single employee to enter in their network credentials by posing as the company’s IT department. Within a few hours, the attackers had access to the company’s virtual private network and parlayed that into broader access to the network.
“They sent a phishing message to twelve different users and one fell for it,” Dell Secureworks’ Burdette said. “One person fell for it and that is all that it took.”
Companies should use two-factor authentication to limit access to employees and make user credentials less useful to attackers, Dell Secureworks advised. Any privileged user account should be audited regularly and valuable intellectual property identified and then closely monitored.