Hackers dig deeper, use network tools to do their dirty work

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Hol­ly­wood tends to por­tray hack­ers as gift­ed pro­gram­mers with the knack for con­coct­ing arcane lines of code to crack into com­put­er systems.

Yet a broad def­i­n­i­tion of “hack­ing” is sim­ply to access a com­put­er and/or areas of a com­put­er net­work with­out the prop­er autho­riza­tion to do so.

In point of fact, many hack­ing cam­paigns are car­ried out with the use of very pow­er­ful, well-estab­lished hack­ing tools that are cost-free, wide­ly avail­able, and easy for any­body to master.

These include free­ware and share­ware to conduct:

  • Brute force pass­word hack­ing to crack into accounts
  • Vul­ner­a­bil­i­ty scan­ning to find unpatched machines sus­cep­ti­ble to infections
  • PC log mon­i­tor­ing to cap­ture all activ­i­ty from a tar­get­ed machine

Secu­ri­ty firm Coun­ter­Tack has dis­cov­ered a twist to this pattern.

Free IDT911 white paper: Breach, Pri­va­cy, And Cyber Cov­er­ages: Fact And Fiction

Crim­i­nal hack­ers on the cut­ting edge have begun to tap into the net­work admin­is­tra­tion tools built into the Microsoft Win­dows oper­at­ing sys­tems. They are using these built-in Win­dows ser­vices for the express pur­pose of prob­ing wider and deep­er into infil­trat­ed net­works and steal­ing data more qui­et­ly, says Michael Davis, chief tech­nol­o­gy offi­cer at CounterTack.

End­points espe­cial­ly vulnerable

Coun­ter­Tack sup­plies tech­nol­o­gy that enables its cor­po­rate and gov­ern­ment clients to mon­i­tor and ana­lyze mali­cious attacks against net­work end­points—the desk­tops, servers and mobile devices used to con­duct business.

Late­ly, Coun­ter­Tack has inter­cept­ed cam­paigns designed to lever­age Win­dows Pow­er­Shell for mali­cious purposes.

Pow­er­Shell is a com­mand line util­i­ty designed for use by sys­tem admin­is­tra­tors to help them run pro­grams and exe­cute script­ed rou­tines to man­age Win­dows networks.

For instance, if an admin­is­tra­tor needs to make a set­ting change to 1,000 or 10,0000 com­put­ers, he or she could run a Pow­er­Shell script that would sys­tem­at­i­cal­ly mod­i­fy all of those machines.

Coun­ter­Tack is see­ing instances where intrud­ers are attempt­ing to use Pow­er­Shell to wide­ly deploy a mali­cious rou­tine. Since the attack­ers are not try­ing to embed or run any mali­cious pro­grams they escape detec­tion by tra­di­tion­al intru­sion detec­tion systems.

The bad guys fig­ured out that it makes great sense to sim­ply lever­age the tools Microsoft built into Win­dows to help com­pa­nies oper­ate more effi­cient­ly, Davis says.

A knife from the kitchen draw­er can be used to cut fruit,” he says. “But in the wrong hands, it can be used to hurt some­body. There are a lot of knives in the Win­dows oper­at­ing sys­tem that could be lever­aged to do things like delete files, down­load data and exfil­trate data.”

Anoth­er Win­dows ser­vice cyber crim­i­nals are tak­ing advan­tage of is Remote Desk­top Con­nec­tion, Davis says. RDC enables con­nec­tions between com­put­ers sit­ting in dif­fer­ent loca­tions, say the com­pa­ny head­quar­ters and a branch office.

Bad things hap­pen below the radar

And, in per­haps the most sophis­ti­cat­ed exam­ple of this trend, some crim­i­nals have mas­tered a tech­nique to exe­cute mali­cious rou­tines in the ran­dom access mem­o­ry, or RAM, of indi­vid­ual computers.

Mali­cious rou­tines usu­al­ly get run on the hard dri­ve or in the Web brows­er of a tar­get­ed machine, where there can be many types of detec­tion sys­tems watch­ing. By con­trast, mal­ware that runs in RAM is very dif­fi­cult to detect, and also dis­ap­pears once the com­put­er gets rebooted.

It’s clear that the bad guys who have fig­ured out how to use built-in Win­dows ser­vices to help car­ry out their attacks for now, at least, are stay­ing a few steps ahead of the good guys.

It gains them stealth,” Davis says. “By chang­ing the way they attack, they won’t be detect­ed as easily.”

More on emerg­ing best practices
3 steps for fig­ur­ing out if your busi­ness is secure
5 steps to secure cryp­tog­ra­phy keys, dig­i­tal certificates
6 steps for stop­ping hacks via a con­trac­tor or supplier