Symantec recently released research that showed a Chinese cyberespionage group was using living off the land techniques to compromise networks. In the
Symantec recently released research that showed a Chinese cyberespionage group was using living off the land techniques to compromise networks. In these attacks, hackers use legitimate tools like PsExec for nefarious means. Should enterprises refrain from using these tools or is there a way to monitor and track them?
PsExec, PowerShell and WinSCP are all tools that enterprise network and system administrators are familiar with, and which they probably use most days of the week.
Research by Symantec, however, revealed that these tools are also being used by a Chinese cyberespionage group to traverse and exfiltrate data from satellite, telecom and defense companies in Southeast Asia and the United States. The Thrip hacking group and other cybercriminals are using these and other legitimate admin tools to carry out and hide their activities in plain sight, a tactic known as living off the land.
By making use of legitimate admin tools that are already installed on target computers and running scripts and shellcode directly in memory, attackers can greatly reduce the chances of being detected, as the attack creates fewer — or even zero — new files that antivirus and other detection tools can spot.
The tools hackers employ for dual-use include those used to manage networks and systems, such as File Transfer Protocol clients and system and configuration management tools. Collectively, they give the attacker the ability to run commands, explore and traverse networks, exfiltrate data, and download additional tools or malware — though this is done sparingly to reduce the risk of discovery. These legitimate admin tools are usually preinstalled on admin machines, and the hacker’s misuse of them can get lost amid the daily activities of genuine system administrators, making it harder to detect and attribute attacks to a source.
Symantec said that living off the land is now used in almost every targeted attack, leading some enterprises to ask whether they are running a risk by installing and using these admin tools. There are two problems with this approach.
Firstly, it would be almost impossible for administrators to manage IT infrastructures without admin tools. And even if companies used other, less popular tools, hackers would quickly adapt to abuse those, as well. In fact, the number of legitimate tools already in use is too great to be able to remove them all. The same is true of cloud services, which hackers use to establish command-and-control channels, as organizations are unlikely to block them.
The best way to avoid these attacks is to prevent devices from becoming infected in the first place. Employee awareness training on social engineering attacks is essential to do this as email and infected websites are still the most common infection vectors for malware.
Antivirus software should always be kept up to date as antivirus scanners are learning how to spot and block things like remote code execution and memory-only exploits. To make it harder for an attacker to traverse and explore a network, they should be segregated, all activities should be logged and a least privileges approach should be enforced.
Symantec used its Targeted Attack Analytics tool to scan for attack patterns, which security teams need to do on their own networks to uncover attacks using similar patterns; for example, a command-line tool like PsExec being used to execute processes on other systems. This requires a baseline of known-good network traffic against which day-to-day traffic can be compared using artificial intelligence and machine learning to spot any unusual use of legitimate admin tools or activity associated with dual-use tools.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)