Hackers Using Victim's Own Software to Breach Network, Firm Says
Rather than infect a network with their own malware, sophisticated attackers are increasingly “living off the land” by using a company’s tools to do their job.Sophisticated attackers increasingly use little or no malware to compromise and steal data from their targets, according to an alert posted by managed security services firm Dell Secureworks on Sept. 2. Instead, in nearly every intrusion investigated by security analysts at the company in the past year, the attackers used compromised credentials to gain entry into the network and legitimate administrator tools to move from system to system, the alert stated. Attackers used little or no malware, the firm said. Such attacks will dodge the defenses of companies whose defenses focus on detecting attacks by recognizing the attacker's malware, Phil Burdette, senior security researcher for Dell Secureworks, told eWEEK. “There are a lot of legitimate system tools that employees use to conduct daily operations and those same tools can be used by the adversaries,” he said. “The challenge then becomes to discern between legitimate administrator activity and the behavior of an adversary.”
Dell Secureworks described three attacks in general terms, highlighting how an attacker does not have to use malicious software to accomplish their mission. In one case, the attackers nabbed an employee’s credentials to log into the manufacturer’s Citrix system. Because the company did not implement two-factor authentication the attackers were able to easily log into the network. The attackers also used an administration tool to distribute patches to further the compromise.