Top 10 cyber-weapons; weaponised IT the preferred attack vehicle once inside

Top ten hacker tools identified - misuse of legitimate tools dominates inside the network.

David Thompson: "Once people get inside the network – it's weaponised IT"
David Thompson: "Once people get inside the network – it's weaponised IT"

The Cyber Weapons Report 2016 from LightCyber Inc issued today catalogues the top ten weapons used in various categories of cyber-attack, however its main thrust is that once an attacker is on your system, they rarely use malware and what you need to monitor is anomalous behaviour using legitimate tools.

In fact the report says that 99 percent of internal, east-west reconnaissance and lateral movement in the sample covered did not originate from malware, but from legitimate applications or from riskware such as scanners.

“No one is saying unplug the firewall or ditch anti-virus – it works, but not 100 percent,” David Thompson, LightCyber's senior director of product management, told SCMagazineUK.com. He added: “90 percent of [monitoring] reports suggested that once people get into the network these [malware] tools stop – it's weaponised IT.”

As well as seeing a lot of attack activity using legitimate tools, the research showed that half is reconnaissance activity, when the attackers need to be very active to get to their target. Command and control activity and lateral movement were both just under 20 percent, with exfiltration just under five percent of activity. In contrast, malware activity, the focus of industry attention, accounted for just 7.5 percent of activity once the intruder was inside. Of course it is true that by stopping malware from facilitating entry, the level of intruder activity is greatly diminished.

As a result, Thompson says, “Organisations need to build their ‘detect and response' capability - how to investigate previously undetected anomalies, and what to do when they find them. It needs both network traffic analysis and user behaviour analysis – combining [activity seen] with people and processes.”

It's not enough to detect the tools used, but users must spot the anomalous behaviours they are used to create, allowing organisations to block each stage of an attack and make sure that if one safeguard fails, another one can prevent a costly breach.

Thompson notes that the sort of activity to look for includes “large port scans, high failure rates in connections, and large numbers of folders in file sharing”.

But he adds that reconnaissance activity can be hard to look for without being overwhelmed with alarms as many apps allow a lot of automatic searching for peers and are “very chatty – so you need to see what's installed where”.

Of 1,109 unique tools used during attacks monitored, the majority were not malicious.

The ten most popular networking and hacking tools were:

Tool Name

Function

Percentage of Top 10

Angry IP Scanner

IP address and port scanner

27.08%

PingInfoView

Program that pings multiple hosts at once

25.00%

Nmap

Network discovery and security auditing tool

14.58%

Ping

Ping command program

12.50%

Mimikatz

A tool that extracts plain text passwords stored in Windows

6.25%

NCrack

High-speed network authentication cracker

4.17%

Perl

Scripting tool that can be used to script hacking and reconnaissance tasks

4.17%

Windows Credential Editor

A tool that manages Windows logon sessions and credentials; can be used to perform “Pass-the-Hash” attacks

2.08%

SmartSniff

Network packet sniffer

2.08%

PDF Exploit Generator

An app that generates malicious PDF files that can infect vulnerable PDF applications

2.08%

While primarily used for lateral movement, admin tools are also associated with data exfiltration. The ten most popular admin tools used were:

Tool Name

Function

Percentage of Top 10

SecureCRT

SecureShell (SSH) and Telnet client

28.48%

Putty

SSH and Telnet client

25.95%

BeyondExec Remote Service

Utility to spawn processes and shutdown remote workstations

10.13%

VMware vSphere Client

Management utility for VMware vSphere Server Virtualisation

8.86%

MobaXterm

Xserver and tabbed SSH client for Windows

8.23%

PsExec

Light-weight telnet replacement for executing processes on remote systems

8.23%

PowerShell

Task automation and configuration management framework

5.70%

Private Shell SSH

SSH client

1.90%

Telnet

Telnet client

1.90%

Xshell

Terminal emulator that supports SSH, SFTP, telnet, rlogin and serial access

0.63%

Attackers also use remote desktop programs to gain access to new hosts, to move laterally, or to remotely control compromised devices. TeamViewer topped the list of the most common remote desktop tools in the study, along with Ammyy Adminn and LogMeIn, to control computers from outside the network because they broker connections through their service — basically command and control. Others, like VNC and Remote Desktop Connection, are used within the LAN for lateral movement.  The ten most popular desktop programs used were:

Tool Name

Description

Percent of the Top 10

TeamViewer

Cloud-based or locally hosted remote desktop and web conferencing software; can be used for command and control and lateral movement

37.22%

WinVNC

Remote desktop software using Virtual Network Computing (VNC) for remote access

27.44%

Radmin

Remote desktop and technical support software

9.09%

AnyDesk

Remote desktop software

6.86%

LogMeIn

Cloud-based remote access and remote desktop service

4.12%

NetOp Remote Control

Cloud-based or locally hosted secure remote access

2.92%

Ammyy Adminn

Free remote desktop and remote control software

1.72%

Citrix Client

Application used to access Citrix XenDesktop and XenApp programs

0.86%

Remote Desktop Connection

Microsoft's native remote desktop solution

0.69%

UltraVNC

Remote desktop software that also includes file transfer and chat messaging.

0.34%

Organisations are advised to monitor all remote desktop connections and enforce strong authentication to prevent unauthorised computer access. Correlating remote desktop access with other anomalies, such as data exfiltration and command and control activity, can help zero in on advanced attacks.

Attackers can use malware at any stage of the attack process - to exploit the initial host, or turned on after they are entrenched in the network and have established control. The report shows that most malware activity was detected in early phases of the attack lifecycle, such as command and control communications between clients and destinations on the Internet. Some 28 percent of suspicious processes associated with alerts were either malware or riskware.

An interesting finding was that more than 70 percent of active malware detected was detected ONLY on a single site, indicating the increased prevalence of targeted malware as well as polymorphic malware to completely bypass signature-based prevention. “Even though it was only a small sample (60 installations) it did indicate the ease with which attackers can re-configure and create new malware,” comments Thompson. The top ten malware programs found were:

Tool Name

Description

Percent of the Top 10

Trojan/Gen:Variant.Graftor

Malware used to boost advertising revenue to inflate a site's page ranking in search results.

34.89%

Win32/ShopAtHome.A

Malware that redirects and monitors Web activity

34.58%

W32/Urlbot.NAO!tr

Malware that monitors all activity, including keystrokes, email and web access

7.17%

BrowserModifier:Win32/Elopesmut

A family of malware that changes web browser settings.

6.85%

Win.Trojan.7400921-1

Malware that attempts to write to a memory location of a loaded process to manipulate other applications.

6.23%

DLOADER.Trojan

A Trojan that secretly downloads malicious files from a remote server, then installs and executes the files

5.92%

Trojan.Win32.Crossrider.dlbfju

A Trojan that hijacks web browser sessions

1.56%

Troj/WPAKill-A

Malware that manipulates other applications

1.25%

Trojan.Generic.12984339

Unknown Trojans which are detected by its antivirus heuristic engine

0.93%

Trojan-Dropper.Win32.BATDrop.bl

A Trojan dedicated to the exfiltration of the data that is sent to a remote server through FTP.

0.62%

Methodology

Meta data for this report was gathered from LightCyber's global customer base using the LightCyber Magna Behavioral Attack Detection platform. The Report concentrates on the malware that bypassed preventative controls and successfully compromised clients, and the tools attackers use once inside the network. It encompasses attack activity detected across hundreds of thousands of endpoints from more than 60 sites during a six-month period ending in June 2016. Sample organisations ranged in size from 1,000 to 50,000.  The threats described in the report were identified by deep packet inspection (DPI) of network traffic for behavioural anomalies.