SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Data Analytics
#
Ransomware
#
Cyber attacks

Cybercriminals use legitimate software for attacks increasing

Fri, 6th Sep 2024
Author image
By Kaleah Salmon, Journalist

An analysis by ReliaQuest has revealed that cybercriminals are increasingly utilising legitimate software to breach organisational security. The study found that between January and August 2024, 60% of critical incidents involved the use of legitimate IT tools for malicious purposes, a 16% increase from the same period seen in 2023.

The report underscores the growing trend of attackers adopting legitimate tools to evade security measures and deceive security personnel. These tools are used for various malicious activities, including spreading ransomware, conducting network scanning, lateral movement within networks, and establishing command-and-control (C2) operations. Among the tools identified in the report are PDQ Deploy, PSExec, Rclone, SoftPerfect, AnyDesk, ScreenConnect, and WMIC.

A series of case studies detailed in the report highlights specific incidents involving these tools. Between September 2023 and August 2024, 22 posts on various criminal forums discussed or shared cracked versions of the SoftPerfect network scanner. For instance, an August 2024 thread on XSS titled "nmap binary for Windows or an alternative" saw users recommending SoftPerfect as a viable option for network scanning.

Remote management and monitoring (RMM) tools like AnyDesk and ScreenConnect are also prominently featured in criminal discussions. An August 2024 post on the RAMP forum described using AnyDesk during a penetration test and recommended disabling secure logon for successful connections. Initial Access Brokers (IABs) frequently sell access to networks through these established remote management and monitoring tool connections.

The report notes that ransomware groups commonly use Windows utilities such as PSExec and WMIC to propagate their ransomware encryptors. A notable example is the Medusa ransomware group's use of PDQ Deploy. By leveraging a compromised administrator account, the attacker used PDQ Deploy to blend in with existing PDQ tools in the environment, avoiding detection.

In an incident from April 2023, ReliaQuest responded to an attempted ransomware deployment in a customer environment. Despite being less recent, this case is significant due to the attacker's lateral movement technique. The attacker downloaded the automated software deployment tool Total Software Deployment (TSD) to install the RMM tool ScreenConnect on multiple hosts. This installation facilitated lateral movement, enabling connections to any compromised host with ScreenConnect installed.

The increasing use of legitimate software for malicious purposes poses a significant challenge for cybersecurity professionals. As attackers continue to find ways to bypass security measures using tools that appear benign, organisations must remain vigilant and adopt more sophisticated detection and response strategies to protect their networks.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Radware reports web DDoS attack activity
ReliaQuest reveals sophisticated Inc Ransom tactics in attack analysis
Gen report reveals sharp rise in AI-powered cyberattacks
Kaspersky: Cyberattacks on young gamers surge by 30%
Apple iPhone 16 launch triggers wave of scams – Kaspersky
Top stories
Titans of Tech - Kip Compton of Fastly
SentinelOne named among best workplaces in technology for 2024
CrowdStrike & 1Password extend partnership to aid SMBs
Indonesia's Kominfo teams with Indosat & Mastercard for academy
Insider threats highlighted, calls for enhanced security measures