Remote Administration Tools Bring Unexpected Threat to Industrial Network
Legitimate remote administration tools (RAT) pose a serious threat to industrial networks. They are installed on 31.6% of ICS computers, but often remain unnoticed until the organisation’s security team finds out that criminals have been using a RAT to install ransomware or cryptocurrency mining software, or to steal confidential information or even money.
According to Kaspersky Lab ICS CERT, RATs are incredibly widespread across all industries: nearly one third of ICS computers protected by Kaspersky Lab products have RATs installed on them.
According to researchers, malicious users utilize RAT to:
- Gain unauthorized access to the targeted network.
- Infect the network with malware to conduct espionage, sabotage and make illegal financial profits through ransomware operations or by accessing financial assets via the networks attacked.
- The most significant threat posed by RATs is their ability to gain elevated privileges in the system attacked.
- Such capabilities are often gained through a basic brute force attack, which involves trying to guess a password by trying all possible character combinations until the correct one is found.
- While brute force is one of the most popular ways to take control of a RAT, attackers can also find and exploit vulnerabilities in the RAT software itself.
How to reduce the risk of cyberattacks involving RAT’s.
- Audit the use of application and system remote administration tools used on the industrial network. Remove all remote administration tools that are not required by the industrial process.
- Conduct an audit and disable remote administration tools which came with ICS software provided that they are not required by the industrial process.
- Closely monitor and log events for each remote-control session required by the industrial process.
- Remote access should be disabled by default and enabled only upon request and only for limited periods of time.
Cloud Hosted Service used to deliver Malware to Steal Cryptocurrency Wallet
Hackers abuses cloud hosting services to distribute Stealer Malware by mixing it up with good ones to prevent the malware from getting blacklisted.
The Stealer Malware particularly targeting the following cryptocurrency wallets Bitcoin, Electrum, and Monero.
The weaponized word documents contain an obfuscated malicious macro which will be executed once the documents are opened and initiate the HTTP request to download the Stealer Malware without user consent.
The malware package is custom packed and hardcore, it decrypts on runtime, upon execution it collects the details such as machine ID, EXE_PATH, Windows, computer (username), screen, layouts, local time, and CPU model form the system and submit to C&C server.
Its communication with C&C server is hardcoded, on the infected machine malware searches for default location was digital wallet stored, browser cookies and login details of popular applications like Pidgin, WinSCP, and Psi+.
Phishing is a fraud mechanism used to obtain sensitive data such as usernames, password, and credit card details to carry out various malicious activities.
Web Applications Are More Vulnerable Than You Think
According to the report, 44 percent of web applications are vulnerable to data leakage and security problems.
In other words, threat actors have easy access to the personal customer data those applications handle across a variety of verticals such as banking, e-commerce and communications.
How Cybercriminals Exploit Web Applications to Spread Malware?
Threat doesn’t even involve direct attacks against web apps; cybercriminals can use applications in various ways to launch malware attacks.
- The first is to use apps to infect and spread malware throughout enterprise networks.
- In another case, an attacker exploited a vulnerability to disseminate phishing emails targeting bank employees.
How to Protect Web Applications?
- Security and privacy need to be thought about in the planning stages of the Software Development Life Cycle (SDLC).
- Implement web application firewall, bolster password management, deploy mobile application management features and install security plugins where available