The U.S. Health Sector Cybersecurity Coordination Center (HC3) has recently released a white paper to raise the health sector’s awareness about living-off-the-land techniques threat actors use to conduct persistence, privilege escalation, reconnaissance, and to move laterally within a network without detection.
According to the HC3, threat actors adopt the software that network administrators and red team professionals use to launch cyberattacks on a victim’s systems. Threat actors utilize this software to avoid downloading potentially harmful files from the internet. The actor’s activity is concealed in the logs of the websites where the tools are used legitimately. The same tools are then utilized to carry out operations in the system’s memory to evade its data safeguards. To avoid having to download files from the Internet, threat actors use software tools that are already installed. Malicious activities can be concealed in the logs of sites where these tools are used legitimately, and these tools are used to carry out malicious operations in memory to evade security measures. Since these tools are already present on the network, conventional security measures like restricting malicious domains and file hashes are useless against them.The tools frequently utilized by threat actors include:
- Cobalt Strike, a penetration testing and red team tool,
- Powershell, Microsoft’s scripting language and command-line tool,
- Mimikatz, a post exploitation credential theft tool,
- Sysinternals, Windows’ system utilities,
- AnyDesk, a Remote Desktop Software, and
- Brute Ratel, a customized command and control center tool.
These tools can be very difficult to defend against. While these tools can be used with malicious intent, they also function as legitimate tools for systems and so identifying when a tool is being used maliciously is very challenging. For example, Cobalt Strike is frequently used by penetration testers to examine the risks and vulnerabilities of a system. However, the tool is also often abused by malicious actors to conduct exploitative actions, transfer data, and control systems. Additionally, AnyDesk is utilized by system owners to provide remote IT support. For this reason, connections between users are encrypted, making it harder to identify malicious activity.
According to HC3, the Department of Health and Human Services neither supports nor opposes the use of these technologies, but instead advises that organizations in the health sector carefully consider these tools, compare the benefits and dangers, and decide if the benefits outweigh the risks.