New report claims cyber-criminals use “sophisticated tools” or cyber weapons to compromise networks and steal information
Hackers use cyber weapons rather than malware to evade detection when deploying attacks, Researchers disclose that hackers prefer to employ ‘sophisticated tools’ rather than just malware after invading systems.
A common misconception is that hackers use malware to obtain sensitive user data, including personal and financial information. Security researchers have now disclosed that cybercriminals rarely use malware past the initial breaching of users’ systems.
According to a new report by security firm LightCyber, cybercriminals use “sophisticated tools” or “cyber weapons” to compromise networks and steal information. “While malware is a part of their arsenal, it’s typically used during the intrusion phase, rather than the active phase of an attack. Instead, attackers leverage hacking, admin, and remote access tools to expand across the network, take over more machines, and obtain sensitive data,” the firm said.
After Breaking into a Network
The report found that 99% of “internal network reconnaissance and lateral movement” came from “legitimate” applications like scanner and riskware and not from malware. LightCyber also pointed out that hackers make use of IT admin tools such as network monitoring software, remote desktop access tools, as well as networking and hacking tools to obtain access to data. The firm cautioned: “By using these tools, attackers can remain undetected for months and quickly regain access even if the malware used to enter the network is identified and removed.”
Unfortunately, given the anonymous nature of the data analyzed, the odds of identifying and breaking down security threats geographically are slim to none.
Results for the study were tabulated over six months, analyzing end-user networks totaling 100,000s of endpoints worldwide. Sample organizations ranged in size from 1,000 to 50,000 endpoints, spanning industries such as finance, healthcare, transportation, government, telecommunications and technology.
According to the report, malware detection tools are “almost entirely fruitless” in identifying hackers’ system penetrating operational activities. LightCyber also revealed that hackers exploit universal apps such as web browsers and native OS tools when conducting attacks. “In fact, web browsers like Chrome, Internet Explorer, and Firefox accounted for a sizeable amount of command and control activity,” the firm said.
The firm advises organizations to employ threat investigative techniques that research the varied cyber weapons hackers use to deploy attacks. “To thwart attacks, organizations need to effectively monitor the entire “attack kill chain”. By implementing defense-in-depth based on detecting anomalous attack behavior as well as enforcing perimeter and endpoint prevention, organizations can stop the attacker at any stage of an attack and make sure that if one safeguard fails, another one can prevent a costly breach,” LightCyber said.
Additional key findings of the study include:
SecureCRT, a SecureShell (SSH) and Telnet client, topped the list of admin tools employed in attacks, representing 28.5% of all incidents reviewed in this study. These admin tools generated security alerts associated with anomalous network attack behaviors, such as new admin behavior, remote code execution and reverse connection (reverse shell), among others.
The most popular remote desktop tool used by attackers discovered in this study was TeamViewer, a cloud-based or locally hosted remote desktop and web conferencing product, which accounted for 37.2% of all incidents in the study. Remote desktop tools used by attackers manifested several anomalous attack behaviors, including command and control (tunneling) and lateral movement.
Attackers may leverage ordinary end-user programs like web browsers, file transfer clients and native system tools for command and control and data exfiltration activity. The most mundane applications, in the wrong hands, can be used for malicious purposes.
For a copy of the report go to: http://lightcyber.com/cyber-weapons-report-network-traffic-analytics-reveals-attacker-tools/