Living-off-the-Land Attacks Surge, Attackers Focus on Abusing Legitimate Tools and Services

Cybercriminals have long been using legitimate management and administration tools to break into enterprise networks, move laterally within them, and maintain persistence. Lately, the use of these so-called Living-off-the-Land (LotL) tactics has increased substantially.

The current state of LotL attacks

  • In a recent report, Kaspersky Lab revealed that malicious actors misused legitimate services in 30% of cybersecurity incidents tracked in 2019.
  • In around 38.6% of the instances, the legit tools were used for the purpose of executing code.
  • The most frequently used tools include PowerShell, PsExec, SoftPerfect Network Scanner, and ProcDump.
  • Threat actors used most of these legitimate tools and services for harvesting credentials from memory, evading security mechanisms, and for discovering services in the network.

Recent headline-grabbing incidents

  • TeamTNT APT was caught using Weave Scope tool as an effective backdoor to infiltrate Docker and Kubernetes platforms. The open-source tool enables attackers to gain full control over the infrastructure without the need to deploy malicious code.
  • In another analysis, researchers noticed malicious actors abusing Google’s DNS over HTTPS protocol to deploy malicious payload on victims’ machines.
  • The card-skimming landscape saw a new twist as cybercriminals affiliated with the Magecart group used encrypted messaging service Telegram as a channel for sending stolen credit-card information back to its C2 servers.
  • Iranian hackers reportedly used Remote Desktop Protocol (RDP) to deploy Dharma ransomware in a targeted attack campaign against Russia, Japan, India, and China.
  • In mid-June, ESET revealed a cyberespionage campaign that targeted aerospace and military companies in Europe and the Middle East between September and December 2019. The operation misused OS functions and legitimate services, among other techniques, to infect targets with a malware sample named Inception.dll.

What does this indicate?

The misuse of legitimate tools and services can make it more difficult for security solutions to detect attacks. Furthermore, Konstantin Sapronov, Head of the Global Emergency Response Team at Kaspersky explains that it is not possible to exclude these tools because they are part of a regular system administrator workflow. Therefore, the only way to prevent the abuse of such tools and services requires properly deployed logging and monitoring systems that will help detect suspicious activity in the network.

Recommended security measures

To minimize malicious penetration through such software:
  • Organizations should restrict access to remote management tools from external IP addresses.
  • The number of endpoints should be limited for remote control interfaces while enforcing a strict password policy for all IT systems and deploying multi-factor authentication.
  • It is better to follow the principle of offering staff limited privileges depending on need-to-know and need-to-do basis.