A new study conducted by LightCyber has cast some light on how many hackers are now using malware. Instead of relying on malware to exfiltrate data, the malicious software is now used by many attackers only to gain access to systems or for surveillance purposes.
Once the attackers have gained access to a system, they use software tools already installed on the network to move about and steal data. This means that any organization that concentrates on discovering malware and removing it, may not realize the attackers are still inside the system. Simply removing the malware infection will not stop the attack.
Once access to the system has been gained, attackers use tools such as remote desktop access, network administration tools, and pen testing tools to move around the network undetected. These tools allow the attackers to gain access to other devices and networks and discover login credentials. Those credentials are then used to gain access to entire systems.
Security researchers at LightCyber studied the security firm’s Magna Behavioral Attack Detection platform data for a period of six months. The data covers more than 60 customers’ systems and hundreds of thousands of endpoints. Even though the platform is used to detect malware and security threats, the tools that were used by the attackers were not flagged as being malicious. Only four of the tools were flagged as riskware, while all of the remaining tools were deemed to be safe, even though they were actively being used by attackers to move around the network.
This was not only a problem with the Magna Behavioral Attack Detection platform, but also with most other malware detection tools. The attackers are using tools such as Ping, Telnet, TeamViewer, VMware vSphere client, and Private Shell SSH to map the network. The attackers conduct port scans and host scans to investigate the system and then search for vulnerabilities that can be exploited. Since many of the tools used by hackers are also used by penetration testers and network administrators, it can be very difficult to determine whether attackers still have access once malware has been removed.
According to Kasey Cross, senior product manager at LightCyber, “To successfully detect an intruder, organizations need to look for the operational activities of the attacker, which are best seen as malicious anomalies against profiles of normal activity for users and IP-connected devices.”