You are here

When your own tools attack: The top 5 offenders

Robert Lemos, Freelance writer

Earlier this year, a group of cyber criminals started attacking companies using a hodgepodge of techniques, leaving behind references to the movie The Matrix, and encrypting critical enterprise systems with ransomware.

The attack, dubbed "MegaCortex" by antivirus vendor Sophos, appears to come from compromised domain controllers that the attackers may have accessed using stolen admin credentials. Once inside, the attackers use the common technique of using tools already on the compromised system—known as "living off the land"—to avoid detection.

The group, for example, used the command-line interface in PowerShell, available on all Microsoft Windows systems. With PowerShell, they decoded and ran an obfuscated script that sets up a backdoor into the system, and then used Windows Management Instrumentation (WMI) software to automate infection of other machines on the network.

Such techniques are becoming increasingly common, and there is no shortage of tools that can be co-opted for attackers' purposes, said John Shier, senior security advisor at Sophos.

"There are upwards of 100 different tools that are potential candidates for use by attackers to automate their attacks. They are using the Windows system's own tools against it."
John Shier

Here are the top tools attackers are turning against your enterprise systems.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

1. PowerShell

When a Windows system is the target of an attack, PowerShell is often the go-to resident tool for the attacker. Like the Bash shell on Linux systems, PowerShell lets an attacker create scripts that can automate the task of compromising systems.

In 2010, two security professionals—Dave Kennedy and Josh Kelly—highlighted the usefulness of PowerShell as a post-exploitation technique during a talk at DEFCON 18. In 2011, another security professional, Matt Graeber, wrote a description of his own foray into post-exploitation PowerShell coding, complete with an example in a post on his blog.

The script developed by Graeber has found its way into many public tools for loading code into memory to avoid writing it to disk, said Ryan Olson, vice president of threat intelligence for Palo Alto Networks.

"PowerShell is built into all Windows systems since Windows 7, which means there will always be a powerful scripting engine that can access resource on any Windows host they can access."
Ryan Olson

2. Docker

For many developers and operations professionals, Docker is a tool that allows containers to be spun up quickly to work inside a customized application environment. It can also test out an application under development before the software is moved to production.

However, attackers can use malicious Docker containers to run code inside a corporate network, if developers do not take care about which images they use as the basis of their containers. While a security feature of Docker containers is that they cannot access the local software without explicit permission, they could scan the network for additional systems to infect, or to carry out other tasks, said Adam Meyers, vice president of threat intelligence for Crowdstrike, a security-services firm.

"It is a fantastic tool, but if the image isn't secure or they have things on an image that do not have to be there, or they have a vulnerability, then it is something the attacker could potentially take advantage of."
Adam Meyers

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

3. WMI

This Windows-based application interface allows access to management information and can be very useful as a conduit for an attacker to gain additional information about systems on a network and to automate further attacks.

WMI has been used by criminal attackers and nation-state adversaries alike, said Meyers.

"Really anything that the adversary can get access to, and can issue commands to and have it perform actions, is going to be of potential value to them."
—Adam Meyers

4. VBScript

The Visual Basic Scripting (VBScript) language is used by Microsoft system administrators to automate the management of computers using a Visual Basic-like language. But VBScript is also a common way for attackers to automate the infection of a system, especially if they include it as part of an Office document.

Protecting against attacks using VBScript and other tools requires that security administrators weigh the benefits of the tools versus their risk, said Palo Alto Networks' Olson.

"For a lot of the tools like PowerShell and VBScript, limiting their use and their usefulness is important. Create whitelists and blacklists for these tools. You can limit their use to only certain systems or certain functions."
Ryan Olson

5. Compression tools

A key step for any attacker is to get data off of the targeted system, so they will often use a compression tool on the system that can not only shrink the size of the data but obfuscate the information as well. There are a variety of common tools that they can co-opt to help them.

"For data exfiltration, attackers typically need to archive files before sending them to another location," Olson said. "They can achieve this using the built-in compression functions in Windows, or look for other installed tools like 7-Zip or WinRAR."

These common tools are not the only ways that attackers extend their compromises from an infected system. Developers have to beware of knowledgeable attackers who insert their code into their development path, such as recent attacks against gaming companies.

In those cases, attackers took the compiler and booby-trapped it such that when the developers were compiling the code, it would put some special sauce in there—a backdoor, said Sophos' Shier.

"Just because it is not PowerShell or WMI does not mean that an attacker with enough skill can't get into your environment and add a DLL into your path that ends up adding a backdoor to your code."
—John Shier

Mooching off your systems

While the term "living off the land," as applied to cybersecurity, is somewhat new, the technique is not. In 1986, as chronicled in the book The Cuckoo's Egg, an attacker from West Germany broke into computers at Lawrence Livermore National Laboratory and attacked a variety of other government and military computers, mostly using tools already on the systems.

Yet the current increase in the technique's use marks a reversal in the trend of a decade ago, when attackers used custom malware. With more companies using defensive systems that can detect malicious custom software, attackers are focused on using existing tools in malicious ways, said Crowdstrike's Meyers.

"From a threat actor perspective, they want to increase the time before detection so that they can move off that system. And by living off the land and using the tools that are already on the system, they can kind of avoid a lot of the legacy antivirus-type solutions."
—Adam Meyers

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]