LightCyber found that attackers were also using VMware vSphere Client, the management utility for VMware vSphere Server virtualization, and PowerShell, built-in and enabled on many Windows platforms.
Remote desktop software let attackers access new hosts and remotely control compromised devices, much the same way IT administrators rely on them to perform maintenance and support tasks like installing and upgrading software. Once attackers guess the user credentials, they can burrow deeper into the network while posing as legitimate users.
This is what likely happened recently with TeamViewer, with users claiming attackers accessed their system via the remote desktop tool and drained PayPal accounts. TeamViewer was also implicated in attacks against TalkTalk customers where fraudulent tech support representatives tried to get access to their machines.
TeamViewer, Ammy Addminn, and LogMeIn, are typically used to control computers from outside the network, while VNC and Remote Desktop Connection are used from within the network. Defenders need to monitor all remote desktop connections and enforce strong authentication to prevent credential theft. TeamViewer, for example, supports two-factor authentication.
And it's not just third-party tools. Attackers can also use mundane applications like web browsers, file transfer clients and native system tools for their malicious purposes. Malicious plugins and toolbars let command-and-control servers communicate with the infected system.
"Web browsers and other 'good' apps, in the hands of malicious insiders and external attackers, can become weapons to carry out costly attacks," LightCyber said.
LightCyber's findings highlight that organizations can't just focus on malware activity to detect breaches. A few days typically pass between the time when attackers get into the network and when data exfiltration occurs, but if the defenders don't monitor the network for suspicious usage patterns from their normal IT tools, they can't stop the attackers in time. This explains why it takes organizations so long to detect breaches -- FireEye's Mandiant noted in its latest M-Trends report the average dwell time is 146 days.
While organizations must stay on top of vulnerabilities and block malware infections, that is just the beginning. They also need to understand how different software and applications are used within their network to identify potential red flags. When threat actors use networking tools, administration utilities, and remote desktop applications in the network for reconnaissance and lateral movement, then defenders can uncover them only by looking for anomalous behaviors.
"Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware," said Jason Matlof, executive vice-president of LightCyber.
Sign up for MIS Asia eNewsletters.