Threat actors commonly use living-off-the-land techniques for performing reconnaissance, privilege elevation, persistence, and moving laterally inside networks undiscovered. Similar software and security resources employed by network administrators and red team experts for legit functions are abused and employed to carry out attacks on the infrastructure of victims.
Threat actors take advantage of software resources that are already installed so getting files online is not necessary. Malicious activities may be concealed inside the logs with legit usage of these tools and avert security resources. Conventional security methods like hindering hashes of malicious files and malicious domains are not effective against these resources, because they are already within the network.
Lately, the Health Sector Cybersecurity Coordination Center (HC3) released a white paper cautioning the healthcare and public health sector (HPH) regarding these living-off-the-land strategies to increase understanding of the threat and clarify the threats of utilizing a number of tools. Threat actors often abuse the following tools:
- Brute Ratel and Cobalt Strike – the penetration testing and adversary simulation frameworks
- PowerShell – Microsoft’s cross-platform automation tool
- Mimikatz – the credential dumping application
- Sysinternals – the Windows troubleshooting application
- Anydesk – the remote desktop application
Nation-state hackers and cybercriminals have extensively used these and other tools in attacking different industries, including healthcare. Mitigating these tools is a major problem. All these tools possess valid functions and are frequently used on typical systems, however, the malicious utilization of these tools may be hard to identify.
Cobalt Strike, for example, has been broadly abused by threat actors over the last 5 years. Over 8,000 attacks were carried out that took advantage of this complete red team system. The tool is usually employed by penetration testers to evaluate threats and vulnerabilities and imitates attacks, nevertheless, the substantial functions of the framework are ready for abuse. Cobalt Strike may be employed as a remarkably customizable spear phishing tool, for finding client-side programs, executing exploitation/post-exploitation activities, data transmissions, live communications, and for command and control of breached systems. Brute Ratel is a more recent and less recognized framework that has lots of the same abilities. Ransomware groups and nation-state threat actors broadly use the two tools in attacks on the healthcare industry.
PowerShell is a command shell and scripting language that IT teams often use for automation and managing configurations. Protecting against misuse is particularly hard. It is usually impossible to prohibit the use of the tool because of its value, although if the tool is not often utilized, it ought to be disabled via group or security guidelines.
AnyDesk is a remote access tool that is employed to access a number of OS for giving remote IT assistance. AnyDesk is additionally popular for file transfers and VPN services. Connections are encrypted to secure against interception of data, but that additionally makes it tougher to identify malicious usage. AnyDesk has been broadly employed by ransomware groups, which include AvosLocker and Babuk, and BazarLoader utilizes AnyDesk to release ransomware payloads.
HC3 states the Department of Health and Human Services neither promotes nor criticizes the usage of these tools, however, proposes that entities in the HPH industry ought to assess these tools and determine the risks and benefits cautiously, and evaluate if the value offered exceeds the risks.
In the white paper, HC3 gives a detailed description of every tool, its valid uses, how threat actors abuse them, and steps that could be done to stop and identify malicious use.