It has become increasingly common for threat actors to use living-off-the-land techniques for conducting reconnaissance, privilege escalation, persistence, and moving laterally within networks undetected. The same software and security tools used by network administrators and red team professionals for legitimate purposes are abused and used to conduct attacks on victims’ infrastructure.
Threat actors leverage software tools that have already been installed to avoid having to download files via the Internet, malicious activities can be hidden within the logs along site legitimate use of these tools, and these tools are used to conduct malicious activities in the memory to evade security solutions. Traditional approaches to security such as blocking hashes of malicious files and malicious domains are ineffective against these tools, as they are already installed on the network.
Recently, the Health Sector Cybersecurity Coordination Center (HC3) issued a white paper warning the healthcare and public health sector (HPH) about these living-off-the-land techniques to raise awareness of the threat and explain the risks of using certain tools. The tools most commonly abused by malicious actors include the penetration testing and adversary simulation frameworks Cobalt Strike and Brute Ratel; Microsoft’s cross-platform automation tool, PowerShell; the credential dumping application, Mimikatz; the Windows troubleshooting application, Sysinternals; and the remote desktop application, Anydesk.
These and other tools have been extensively used by nation-state hackers and cybercriminals in attacks on a wide range of sectors, including healthcare, and mitigating against these tools can be a significant challenge. These tools all have legitimate uses and are often deployed on common systems, but the malicious use of these tools can be difficult to detect.
Cobalt Strike, for instance, has been extensively abused by threat actors for the past 5 years. More than 8,000 attacks have been conducted that leveraged this comprehensive red team framework. The tool is commonly used by penetration testers to assess risks and vulnerabilities and simulate attacks, but the extensive capabilities of the framework are ripe for abuse. Cobalt Strike can be used as a highly customizable spear phishing tool, for discovering client-side applications, conducting exploitation/post-exploitation activities, data transfers, real-time communications, and for command and control of compromised systems. Brute Ratel is a newer and less well-known framework that has many of the same capabilities. Both of these tools are extensively used by ransomware gangs and nation-state threat actors, including in attacks on the healthcare sector.
PowerShell is a command shell and scripting language that is extensively used by IT teams for automation and configuration management, and defending against misuse can be a particular challenge. It is often not possible to block the use of the tool due to the value it provides, but if the tool is not commonly used, it should be disabled through group or security policies.
AnyDesk is a remote access solution that is used to access several operating systems for providing remote IT support. AnyDesk is also commonly used for file transfers and virtual private network services. Connections are encrypted to protect against data interception, but that also makes it harder to detect malicious use. AnyDesk has been extensively used by ransomware actors, including AvosLocker and Babuk, and BazarLoader uses AnyDesk to deploy ransomware payloads.
HC3 says the Department of Health and Human Services neither endorses nor condemns the use of these tools but recommends entities in the HPH sector should carefully evaluate these tools and assess the risks and rewards, and determine whether the value provided outweighs the risks.
In the white paper, HC3 provides a detailed explanation of each of these tools, their legitimate uses, how they are abused by threat actors, and steps that can be taken to prevent and detect malicious use.
The post HHS Warns HPH Sector About Abuse of Legitimate Software and Security Tools by Threat Actors appeared first on HIPAA Journal.