Cybercriminals use legitimate software for attacks increasing
An analysis by ReliaQuest has revealed that cybercriminals are increasingly utilising legitimate software to breach organisational security. The study found that between January and August 2024, 60% of critical incidents involved the use of legitimate IT tools for malicious purposes, a 16% increase from the same period seen in 2023.
The report underscores the growing trend of attackers adopting legitimate tools to evade security measures and deceive security personnel. These tools are used for various malicious activities, including spreading ransomware, conducting network scanning, lateral movement within networks, and establishing command-and-control (C2) operations. Among the tools identified in the report are PDQ Deploy, PSExec, Rclone, SoftPerfect, AnyDesk, ScreenConnect, and WMIC.
A series of case studies detailed in the report highlights specific incidents involving these tools. Between September 2023 and August 2024, 22 posts on various criminal forums discussed or shared cracked versions of the SoftPerfect network scanner. For instance, an August 2024 thread on XSS titled "nmap binary for Windows or an alternative" saw users recommending SoftPerfect as a viable option for network scanning.
Remote management and monitoring (RMM) tools like AnyDesk and ScreenConnect are also prominently featured in criminal discussions. An August 2024 post on the RAMP forum described using AnyDesk during a penetration test and recommended disabling secure logon for successful connections. Initial Access Brokers (IABs) frequently sell access to networks through these established remote management and monitoring tool connections.
The report notes that ransomware groups commonly use Windows utilities such as PSExec and WMIC to propagate their ransomware encryptors. A notable example is the Medusa ransomware group's use of PDQ Deploy. By leveraging a compromised administrator account, the attacker used PDQ Deploy to blend in with existing PDQ tools in the environment, avoiding detection.
In an incident from April 2023, ReliaQuest responded to an attempted ransomware deployment in a customer environment. Despite being less recent, this case is significant due to the attacker's lateral movement technique. The attacker downloaded the automated software deployment tool Total Software Deployment (TSD) to install the RMM tool ScreenConnect on multiple hosts. This installation facilitated lateral movement, enabling connections to any compromised host with ScreenConnect installed.
The increasing use of legitimate software for malicious purposes poses a significant challenge for cybersecurity professionals. As attackers continue to find ways to bypass security measures using tools that appear benign, organisations must remain vigilant and adopt more sophisticated detection and response strategies to protect their networks.