A Disturbing Trend in Ransomware Attacks: Legitimate Software Abuse
When discussing ransomware groups, too often the focus is on their names, such as Noberus, Royal or AvosLocker, rather than the tactics, techniques, and procedures (TTPs) used in an attack before ransomware is deployed. For example, the particularly heavy use of legitimate software tools in ransomware attack chains has been notable in recent times. In fact, we rarely see a ransomware attack that doesn’t use legitimate software.
Staying Under the Radar: Why Abuse Is Rampant
Ransomware attacks remain a major cybersecurity problem. Ransomware actors, like threat actors in general, are abusing legitimate software for a number of reasons. First is a desire for stealthiness — they’re trying to get into and out of networks as quickly as possible without being discovered. Leveraging legitimate software can allow attackers’ activity to remain hidden, which may allow them to achieve their goals on a victim network without being discovered. Legitimate software misuse also can make attribution of an attack more difficult, and these tools can also lower barriers to entry. This means less-skilled hackers may still be able to conduct quite wide-ranging and disruptive attacks.
The legitimate tools we most commonly see being used by malicious actors are remote monitoring and management (RMM) tools, such as AnyDesk, Atera, TeamViewer, ConnectWise, and more. In fact, the use of RMM software by malicious actors was considered serious enough for the Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert about this kind of. As recently as February this year, the Symantec Threat Hunter team saw ConnectWise used in both Noberus and Royal ransomware attacks. These tools are commonly used legitimately by IT departments in small, midsize, and large organizations.
Rclone, a legitimate tool for managing content in the cloud, was also used in a Noberus attack recently. In this particular case, attackers used Rclone to exfiltrate files because their earlier attempt to exfiltrate data, using their own custom ExMatter tool, had failed because it was blocked by security software.
AdFind, a legitimate free command-line query tool that can be used for gathering information from Active Directory, is also frequently used by ransomware attackers, who use it to map a network. PDQ Deploy, a tool that sysadmins use to apply patches, is also often abused by attackers, who use it to drop scripts onto victim networks quite efficiently. It’s not just legitimate tools that are used for malicious purposes by ransomware actors. For example, multiple state-sponsored groups have used legitimate cloud infrastructure such as Google Drive, Dropbox, OneDrive, and others for command-and-control (C&C) infrastructure and to exfiltrate and store stolen data.
Stay Vigilant
Attacks that leverage legitimate software and infrastructure present a particular challenge for both defenders and organizations. A blunt-instrument approach such as blocking the service or tool doesn’t work in these kinds of cases.
And this problem isn’t going away. With every new technology, bad actors will find a way to use it for their own nefarious purposes. For example, a few years ago the cloud wasn’t necessarily a big feature in many organizations. Now, obviously, as more data is moving to the cloud, the infrastructure itself is being used for malicious means, and legitimate tools for use in the cloud, such as Rclone, are being misused by attackers.
To reduce the risk of misuse of legitimate software, organizations should take the following steps:
Improve visibility: The old approach of simply detecting, blocking, and deleting malicious files is no longer sufficient to protect your organization in a cyber-threat landscape where legitimate tools, dual-use tools, and legitimate infrastructure are increasingly being used by malicious actors. Organizations need to have a comprehensive view of their network — they need to know what software is installed on their networks. If unauthorized legitimate tools are found, treat that discovery with the highest priority.
Implement least privilege: User permissions should be kept to a minimal level, without impacting user experience, so that if an attacker gains access to a machine or account, it doesn’t mean they can necessarily spread widely across the network, or that they can access everything that’s on the computer, or the network.
Go beyond malware detection: Since bad actors are often leveraging legitimate software, it’s important that organizations use a security solution that can detect and analyze suspicious behavior — and stop it. Vigilance within an organization is also key. You need to build a culture of security at your organization so that everyone is on the lookout for any kind of suspect behavior that might occur.
To read more from the Threat Hunter team at Broadcom go here: https://symantec-enterprise-blogs.security.com/blogs/
About Brigid O’Gorman:
O’Gorman
Brigid O’Gorman is a Senior Intelligence Analyst on the Symantec Enterprise Threat Hunter Team, part of Broadcom. She works with other security experts within Symantec to investigate targeted attacks, ransomware and other cybercrime. The team drives enhanced protection in Symantec products, and offers analysis and insights to help customers and more respond to malicious attacks.