Hackers turn our tools against us
- By Stephanie Kanowitz
- Jun 30, 2016
The tools hackers commonly use after penetrating a network often do not involve malware, according to a new report.
Although malware is often used to gain access to a network, 99 percent of post-intrusion cyberattack activities used standard networking and IT administrative tools – not malware, according to LightCyber’s 2016 Cyber Weapons Report, released June 29. More than 70 percent of active malware detected was found only on a single site, indicating that “attackers create target-specific variants to completely bypass signature-based prevention,” according to the report.
“The new Cyber Weapons Report uniquely reveals that malware is not the mechanism that network attackers use once they circumvent preventative security and compromise a network,” Jason Matlof, executive vice president at LightCyber, said. “Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware. With the increasing incidence of successful data breaches and theft of company secrets, it’s clear that the conventional malware-focused security infrastructure is insufficient, and we must develop new techniques to find active attackers using their operational activities.”
Angry IP Scanner and PingInfoView top the list of the 10 most popular networking and hacking tools that the report found. Others include Nmap, Ping, Mimikatz, NCrack, Perl and Windows Credential Editor.
In 29 percent of all incidents, SecureCRT, a SecureShell and Telnet client were the most common administrative tools used in attacks the report studied. The most popular remote desktop tool was TeamViewer, a cloud-based or locally hosted remote desktop and web conferencing product, which accounted for 37percent of all incidents in the study. Trojan/Gen:Variant.Graftor was the most common malware variant used at 35 percent.
“Attackers don’t just rely on malware, riskware and other ‘attack tools’ to do their dirty work,” the report stated. “They also leverage ubiquitous apps like web browsers and native OS tools to carry out attacks. In fact, web browsers like Chrome, Internet Explorer and Firefox accounted for a sizeable amount of command and control activity. By installing malicious plugins and toolbars, attackers can leverage these seemingly innocuous apps to communicate with command and control servers.”
What’s more, the study found that the most pervasive type of threat is reconnaissance at 51 percent, followed by lateral movement (20 percent) and command and control (18 percent). During reconnaissance, hackers map out network resources looking for attack vectors that custom cyber threats can exploit, the report states.
Meta data for the report came from LightCyber’s global customers using its Magna Behavioral Attach Detection platform and encompasses attack activity detected across hundreds of thousands of endpoints worldwide from more than 60 unique sites during a six-month period ending in June 2016.
Stephanie Kanowitz is a freelance writer based in northern Virginia.