Threat Actors Exploiting Legitimate Software For Stealthy Cyber Attacks


Threat actors often exploit legitimate software for malicious purposes as it enables them to evade security measures and gain unauthorized access to systems. 

By using legitimate software, threat actors can avoid detection and blend in with normal network traffic which makes it harder for defenders to detect and mitigate the attack.

Security researchers at ReliaQuest recently identified that threat actors have been actively exploiting legitimate software for stealthy cyber-attacks.

Hackers Exploiting Legitimate Software

ReliaQuest documented an annoying and significant increase in cyber incidents with valid software CAMO (Commercial Applications for Malicious Operations) from January to August 2024.

The tactic was used in 60% of all critical hands-on-keyboard incidents, marking an increase of 16% when compared to 2023.

However, CAMO actor uses common IT tools PDQ Deploy, Total Software Deployment (TSD), and RMM software like AnyDesk or ScreenConnect.

These tools are most often found with valid code signing certificates that have been used during many phases within the attack kill chain.

⁤For instance, the Medusa ransomware group utilized PDQ Deploy to spread and execute ransomware, while the Inc Ransom group employed SoftPerfect NetScan for network discovery and Restic (disguised as “winupdate.exe”) for data exfiltration. ⁤

⁤The Black Basta ransomware group launched social engineering campaigns using RMM tools to establish command and control (C2) channels. ⁤

⁤CAMO poses unique challenges as these legitimate tools often evades the security policies, and easily get blend with normal IT operations which helps in complicating the threat detection and incident response.

⁤To mitigate CAMO-based attacks, organizations are advised to implement defense-in-depth strategies including:- ⁤

  • ⁤Network segmentation using VLANs and DMZs. ⁤
  • ⁤Application whitelisting through Windows Defender Application Control (WDAC) or AppLocker. ⁤
  • ⁤Strict controls on RMM tool usage. ⁤

⁤Moreover, researchers also urged to incorporate CAMO awareness into their incident response plans, penetration tests, and risk assessments. ⁤

⁤Not only that, but they also recommended implementing data exfiltration prevention measures like blocking unauthorized cloud services and monitoring access to sensitive data. ⁤

Threat actors will continue leveraging legitimate IT tools like CAMO, AnyDesk, and PDQ Deploy for malicious activities in the long term.

This trend is evidenced by their frequent use in incidents and discussions on cybercriminal forums.

The nation-state groups like “Cozy Bear” are likely to incorporate legitimate behavior into sophisticated custom malware (CloudDuke) using Microsoft OneDrive for data exfiltration.

This persistence is driven by the tools’ effectiveness and the diverse needs of different threat actors.

Comments