Cyber criminals use legitimate software to conceal malicious activities

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 20 Oct 2023
Dale de Kok, systems engineer at Fortinet Southern Africa.
Dale de Kok, systems engineer at Fortinet Southern Africa.

Cyber criminals have moved on from a ‘smash-and-grab’ approach and now use data to plan and execute attacks, says Dale de Kok, systems engineer at Fortinet Southern Africa.

He says threat actors are trying harder to understand their victims’ environments to maximise profits per attack. “In the past, cyber crime was like a quick theft on the street, where a robber would snatch your bag from your car and flee. Nowadays, they also take your car, address, and house keys for a robbery of higher value.”

Cyber criminals are increasingly using legitimate business software to blend in and camouflage themselves.

“Once they gain initial access through compromised endpoints or e-mail, they rely on embedded applications like PowerShell or DLL files for lateral movement,"says De Kok. "This allows them to download payloads from the internet and directly inject them into memory.”

As businesses have improved their data backup capabilities, attackers have also adapted their methods

“Attackers know defenders have better backups, so they moved to extortion and stealthy lateral movement to access more of the environment. If they exfiltrate the data of every system or move to EXSI [VMware’s bare-metal virtualisation tool] or hypervisor servers and encrypt the entire environment, they could cripple you. They are finding ways to guarantee you will pay. The longer they are inside your organisation, the higher the cost to remediate that. After six months, you might have to scrap the entire environment and build it again from scratch.”

Detecting the use of these embedded apps and binaries, which are part of the operating system, has become more challenging. “While increased monitoring can help identify anomalous behaviour in such attacks, it also leads to a higher volume of noise being generated,” warns De Kok.

Using stealth for defence

He emphasises the importance of comprehensive visibility – understanding your environment, its devices, vulnerabilities, and security checkpoints.

Fortinet urges organisations to track attackers across the kill chain, relying on threat intelligence and digital protection services for early threat detection.

Key security measures include securing external systems, network segmentation, multi-factor authentication, and adopting Zero Trust Network Access (ZTNA). 

To tackle the more sophisticated reconnaissance conducted by attackers, organisations need to use deception technologies to lure attackers, deploying fake Windows servers or business applications that appear. “This triggers alerts, providing early warning signs,” De Kok explains. “Deception offers a straightforward and cost-effective solution. It uses automation to react to high fidelity alerts and takes compromised devices off the network.”

Quick wins

While multi-layered security and ZTNA are important security goals, achieving these are long-term projects, De Kok says.

“You can’t just flick a switch and turn on ZTNA. Achieving it is a lengthy process that doesn’t happen overnight. However, there are some ‘quick wins’ that can immediately improve your security posture and contribute to your broader cyber security objectives.”

Centralised logging is an example of a ‘quick win’ and, according to De Kok, is probably one of the easiest. “It helps you build up the asset register, get a view of the environment, and generate data necessary for incident response if you get hacked. It’s also a passive rollout compared to endpoint solutions and ZTNA, which take planning and can have friction points.”