Living off the land: Hackers hiding in plain sight

Security risks are often associated with unauthorized downloads of malware or other tools from outside the network that then drive an attack. However, this cat-and-mouse game between technology and threats isn’t restricted to how attackers choose their targets. The game continues even after attackers gain initial victory.

Fortinet’s latest quarterly global Threat Landscape Report found that attackers are increasingly using tools already pre-installed on targeted systems to carry out their activities. This is known as “living off the land,” and enables hackers to hide their attacks behind what appears to be normal, everyday processes, making them more challenging to identify. And because many of these tools include privileged access, they can also be harder to stop.

PowerShell is arguably one of the most popular tools used by IT teams for many reasons. It comes pre-installed on Windows machines and can interact directly with the .NET Framework. It has also become quite popular among cybercriminals. We’ve tracked adversaries using PowerShell in campaigns to deploy numerous malware, including TrickBot and Emotet banking Trojans. PowerShell, of course, is not the only one. There are other popular utilities that enable attackers to escalate privileges, move laterally across an environment, and install malicious payloads on other systems.

It should be noted that Microsoft in recent years has hardened PowerShell against misuse via measures that restrict the ability to invoke arbitrary Windows APIs, by script block logging, code signing, and support for role-based access administration. But the reality is that attackers can use any language that interacts with .NET, including C#, C++, IronPython, and VB, to accomplish a lot of the same things they can with PowerShell.

As we saw at the start of the year, threats are not likely to abate. Embracing an effective long-term strategy that seeks to address security in an integrated and collaborative fashion is the most important step organizations can take to keep adversaries at bay.

Derek Manky is chief of security insights and global threat alliances at Fortinet, office of CISO. (www.fortinet.com)

This story was featured in the Summer 2019 edition of Canadian Security magazine.