Living off the Land: How Threat Actors are Leveraging Remote Management Tools in Cyber Attacks

In by Fortress SRM

By: Will Hudec, Director, Incident Response, Fortress Security Risk Management

In cybersecurity, the term “living off the land” refers to a type of attack technique that enables an attacker to evade security software detection while blending into the victim’s network, using legitimate tools and utilities that are already installed on the target system instead of using malicious software. Some examples of tools that can be used for “living off the land” attacks include PowerShell, Remote Management Tools, Windows Management Instrumentation (WMI), and Remote Desktop Protocol (RDP). This attack technique has become increasingly popular among cybercriminals and state-sponsored hacking groups.

Remote management tools are software programs that allow remote control and management of a device or network. They are widely used in IT environments as they offer many benefits such as reduced costs, increased productivity, and better efficiency. However, remote management tools also present a significant security risk as threat actors can exploit them to conduct sophisticated malicious activities.

A CrowdStrike analysis of the threat landscape and adversary universe revealed that 6 in 10 detections (62%) indexed by the CrowdStrike Security Cloud in the final quarter of 2021 were malware-free. Instead, adversaries were leveraging legitimate credentials and built-in tools — a hallmark of living off the land attacks — to advance the attack path. CISA (Cybersecurity and Infrastructure Security Agency) issued a joint advisory earlier this year warning organizations of the increase of this threat

Threat actors use remote management tools for various insidious purposes, such as:

  1. Gaining unauthorized access to a system. Threat actors can use remote management tools to gain access to a system without needing to physically be in the same location as the targeted device. This is particularly useful for threat actors who operate from a different country or region than their target.
  2. Evading detection. Remote management tools are legitimate software programs that are commonly used in IT environments, making it difficult for security software to detect their use. This makes it easier for threat actors to remain undetected while conducting their malicious activities.
  3. Persistence. Threat actors can use remote management tools to establish persistence on a system. By creating a backdoor using a remote management tool, they can maintain access to the system even if other malware is detected and removed.
  4. Moving laterally. Remote management tools can be used to move laterally within a network. Once access has been gained to one device, threat actors can use remote management tools to move to other devices within the same network.

Recent “Living off the Land” examples:

Solar Winds

In the SolarWinds supply chain attack which was discovered in December 2020, threat actors compromised SolarWinds’ Orion software, which is a remote management tool used by thousands of organizations. The attackers then used this tool to gain access to various organizations, including U.S. government agencies, by installing a backdoor that allowed them to move laterally within the network.

Colonial Pipeline

The attackers used a virtual private network (VPN) account with an unused username and password that they had purchased on the dark web to gain access to this major U.S. pipeline’s network. Using a remote management tool, they moved laterally within the network and installed ransomware on various systems leading to a shutdown of the pipeline and a gas shortage in the Southeastern United States.

Conclusion

By offering an easy and effective way to gain unauthorized access to a system, evade detection, establish persistence, and move laterally within a network, remote management tools are a growing and dangerous trend.

As hybrid and remote work becomes more prevalent, the use of remote management tools is likely to increase, and organizations need to take the necessary steps to secure these tools to thwart attacks. This includes implementing multi-factor authentication, limiting access to remote management tools, and monitoring their use for suspicious activity.

There are several actions that organizations can take now to mitigate the risk of attacks that utilize remote management tools:

  1. Limit access to remote management tools. Organizations should limit access to remote management tools only to authorized personnel who require it for their job functions. This can help reduce the risk of unauthorized access and misuse of the tools.
  2. Implement multi-factor authentication. Organizations should require multi-factor authentication for remote management tools. This can help prevent unauthorized access even if an attacker has obtained a valid username and password.
  3. Remove local admin rights. Organizations should not allow users to install applications on their systems without proper approval and oversight. Implementing systems such as Microsoft LAPS can assist with mitigating unapproved software being installed on a device.
  4. Monitor remote management tool activity. Organizations should monitor the use of remote management tools for any suspicious activity, such as unauthorized logins or unusual commands.
  5. Keep remote management tools updated. Organizations should ensure that remote management tools are updated to the latest version and patches. This can help reduce the risk of known vulnerabilities being exploited by threat actors.
  6. Conduct regular security assessments. Organizations should conduct regular security assessments to identify vulnerabilities in their networks and systems. This can help identify any potential weaknesses that threat actors may exploit.
  7. Implement network segmentation. Organizations should implement network segmentation to limit the lateral movement of threat actors within the network. This can help prevent an attacker from moving laterally within the network and accessing sensitive data or systems.
  8. Train employees on cybersecurity best practices. Organizations should train their employees on cybersecurity best practices, such as how to recognize and report suspicious activity, how to create strong passwords, and how to identify phishing emails. This can help reduce the risk of human error leading to a successful attack.

By implementing these recommendations, organizations can reduce the risk of attacks that utilize remote management tools and better protect their networks and systems. It is important for organizations to stay vigilant and proactive in their cybersecurity efforts to stay ahead of evolving threats and prevent the bad guys from “living off the land.”

If you’d like to have a confidential conversation with one of our cybersecurity experts to improve your cyber safety, we’re here to help.

About Fortress: 
Fortress Security Risk Management protects companies from the financial, operational, and emotional trauma of cybercrime by enhancing the performance of their people, processes, and technology.  

Offering a robust, co-managed solution to enhance an internal IT team’s capability and capacity, Fortress Security Risk Management features a full suite of managed security services (24/7/365 U.S. based monitoring, cyber hygiene (managed patching),  endpoint detection and response (EDR), and air-gapped and immutable cloud backups) plus specialized services like Cybersecurity-as-a-Service, Incident Response including disaster recovery & remediation, M&A cyber due diligence, GRC advisory, identity & access management, threat intelligence, vulnerability assessments, and technical testing. With headquarters in Cleveland, Fortress supports companies with both domestic and international operations. 

In Case of Emergency: 
Cyber Attack Hotline: 888-207-0123 | Report an Attack: IR911.com  

For Preventative and Emergency Resources, please visit: 
RansomwareClock.org