Cybercriminals continuously look for ways to achieve their goals more cost effectively and efficiently. After all, it costs money to develop malware, hire a botnet, or buy credentials. It takes time to identify and qualify worthwhile opportunities. If you don’t have expert hacking skills to gain access to your target, well….you’ll have to hire those. During the time it takes to execute your campaign, you’re at risk of being caught. And you’re still likely to not make money.
So it makes sense that threat actors are increasingly weaponizing popular, legitimate IT management tools for malicious purposes. Think endpoint management, remote desktop sharing, and network asset management tools. They use built-in operating system capabilities and tools like command shell, dynamic link libraries (DLLs), and native scripting platforms, such as PowerShell, which are already installed on target systems. That’s efficiency. Many tools are open source and free. That’s cost-effective. Best of all, bad actors can use them and evade detection at the same time. That’s just the bonus, but a large one.
What does this mean for IT teams? Protecting “the data” means much more than building access controls around customer, patient, cardholder, and other protected classes of data. They also need eyes on the binary data running their applications and networks. They need to know where it is, how it changes, and who’s accessing it.
A growing number of supply-chain and third-party breaches are case in point. Just recently, an employee of 3CX, makers of a popular voice-over-IP system, used his credentials to download and install a financial trading application on his computer. The downloaded trading application had been retired by its maker in 2020, but was still widely available. In early 2022, it was compromised and infected with a back-door malware. Once installed on the employee’s computer, North Korean-affiliated attackers were able to access 3CX’s software build environment and replace a DLL file in the 3CX app with a trojanized version. When the “updated” 3CX app is loaded on any computer, it functions as full-blown malware that beacons to remote servers and is capable of running second stage malware. The impact is global—the 3CX desktop app is used by hundreds of large businesses, governments, and service providers. So far, according to Symantec Threat Hunters, two financial trading companies and two critical energy infrastructure companies in the U.S. and Europe were breached. According to SC Media, “A search on Shodan on March 30, 2023 found more than 240,000 3CX exposed phone management systems.”
It’s safe to say that few, if any, of these 3CX customers even thought to scrutinize their updated software down to the binary level. Most are likely unaware of the specific 3CX software running on their systems.
Corrupted application software and tools enable threat actors to exploit multiple organizations from a single point of attack. For example, the 2020 SolarWinds attack gave hackers access to 18,000 government entities and Fortune 500 companies, and it set the stage for the devastating Microsoft Exchange server attack, Colonial Pipeline shutdown, and several ransomware sieges. The attack cost U.S. companies an average of 14% of their annual revenue.
The bottom line is that in today’s threat landscape, every organization needs to have eyes on all of its data, especially the data comprising its IT, cloud, and security infrastructures. Flying Cloud CrowsNest enables you to track, and defend it, so you can begin to close the gaps and shut the doors to opportunistic cybercriminals.