Hackers almost exclusively use standard network admin tools to move around a compromised network once they’ve broken in using malware or other hacking techniques.
Researchers at security startup LightCyber found that 99 per cent of post-intrusion cyberattack activities did not employ malware, but rather employed standard networking, IT administration and other tools. Attackers use common networking tools in order to conduct “low and slow” attack activities while avoiding detection.
Once inside a network, an attacker must learn about its layout and map its resources and vulnerabilities in order to locate and steal sensitive data or gain control of network admin or accounting systems, typical goals for both cyberspies and profit-motivated cybercriminals.
LightCyber discovered that attackers commonly use standard administrator and remote desktop tools to conduct reconnaissance or for lateral movement rather than, as might be imagined, malware.
Angry IP Scanner, an IP address and port scanner, was the most common tool associated with attack behaviour, followed closely by Nmap, a network discovery and security auditing tool. Angry IP Scanner alone accounted for 27.1 per cent of incidents from the top 10 networking and hacking tools observed in the study. SecureCRT, an integrated SSH and Telnet client, topped the list of admin tools employed in attacks, representing 28.5 per cent of incidents.
Remote desktop tool TeamViewer and WinVNC were commonly used by hackers to move laterally (from machine to machine) around networks after hackers had gained a foothold by using spear-phishing or other hacking techniques. Attackers also took advantage of ordinary end-user programs such as web browsers, file-transfer clients and native system tools for command and control and data exfiltration activity. The most mundane applications, in the wrong hands, can be used for malicious purposes, LightCyber notes.
The study involved an analysis of network activity gathered from the LightCyber Magna Behavioural Attack Detection platform over a six-month period. Organisations that participated in the study ranged in size from 1,000 to 50,000 endpoints, spanning industries such as finance, healthcare, transportation, government, telecommunications and technology.
The highest frequency of attacker activity identified after assessing all this attack data was reconnaissance, followed by lateral movement and then command-and-control communication. The most common attack tools observed in the study were classified into the following four categories: networking and hacking tools, admin tools, remote desktop tools and malware.
More than 70 per cent of active malware used for the initial intrusion was detected only on one site, indicating that it was polymorphic or customised, targeted malware, according to LightCyber.