Hackers dig deeper, use network tools to do their dirty work
By Byron Acohido, ThirdCertainty
Hollywood tends to portray hackers as gifted programmers with the knack for concocting arcane lines of code to crack into computer systems.
Yet a broad definition of “hacking” is simply to access a computer and/or areas of a computer network without the proper authorization to do so.
In point of fact, many hacking campaigns are carried out with the use of very powerful, well-established hacking tools that are cost-free, widely available, and easy for anybody to master.
These include freeware and shareware to conduct:
- Brute force password hacking to crack into accounts
- Vulnerability scanning to find unpatched machines susceptible to infections
- PC log monitoring to capture all activity from a targeted machine
Security firm CounterTack has discovered a twist to this pattern.
Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction
Criminal hackers on the cutting edge have begun to tap into the network administration tools built into the Microsoft Windows operating systems. They are using these built-in Windows services for the express purpose of probing wider and deeper into infiltrated networks and stealing data more quietly, says Michael Davis, chief technology officer at CounterTack.
Endpoints especially vulnerable
CounterTack supplies technology that enables its corporate and government clients to monitor and analyze malicious attacks against network endpoints—the desktops, servers and mobile devices used to conduct business.
Lately, CounterTack has intercepted campaigns designed to leverage Windows PowerShell for malicious purposes.
PowerShell is a command line utility designed for use by system administrators to help them run programs and execute scripted routines to manage Windows networks.
For instance, if an administrator needs to make a setting change to 1,000 or 10,0000 computers, he or she could run a PowerShell script that would systematically modify all of those machines.
CounterTack is seeing instances where intruders are attempting to use PowerShell to widely deploy a malicious routine. Since the attackers are not trying to embed or run any malicious programs they escape detection by traditional intrusion detection systems.
The bad guys figured out that it makes great sense to simply leverage the tools Microsoft built into Windows to help companies operate more efficiently, Davis says.
“A knife from the kitchen drawer can be used to cut fruit,” he says. “But in the wrong hands, it can be used to hurt somebody. There are a lot of knives in the Windows operating system that could be leveraged to do things like delete files, download data and exfiltrate data.”
Another Windows service cyber criminals are taking advantage of is Remote Desktop Connection, Davis says. RDC enables connections between computers sitting in different locations, say the company headquarters and a branch office.
Bad things happen below the radar
And, in perhaps the most sophisticated example of this trend, some criminals have mastered a technique to execute malicious routines in the random access memory, or RAM, of individual computers.
Malicious routines usually get run on the hard drive or in the Web browser of a targeted machine, where there can be many types of detection systems watching. By contrast, malware that runs in RAM is very difficult to detect, and also disappears once the computer gets rebooted.
It’s clear that the bad guys who have figured out how to use built-in Windows services to help carry out their attacks for now, at least, are staying a few steps ahead of the good guys.
“It gains them stealth,” Davis says. “By changing the way they attack, they won’t be detected as easily.”
More on emerging best practices
3 steps for figuring out if your business is secure
5 steps to secure cryptography keys, digital certificates
6 steps for stopping hacks via a contractor or supplier