Legitimate tools used by IT/system administrators have become valuable cybercriminal targets because of the privilege they provide for greater network access. While malware threats continue to evolve and proliferate, sysadmin tools have opened wider gates for them to deploy blindsiding attack tactics.
The Petya outbreak that infected many European organizations demonstrated the large-scale damage that could stem from abusing PsExec and the Windows Management Instrumentation (WMI). PowerShell has also seen multiple incidents of abuse over the years. From the Poweliks Trojan downloader, the information stealer FAREIT, and banking malware VAWTRAK to ransomware families such as PowerWare, and Cerber version 6, Powershell has been favored by attackers because it is easy to write and simple to obfuscate. In addition, malicious PowerShell scripts are a key ingredient of a lot of fileless malware that are capable of stealthily breaking into networks.
Remote desktop protocol (RDP), which is currently used by more than five million internet endpoints, is also no stranger to abuse. Last year, businesses in Australia and New Zealand got hit by RDP brute force attacks from ransomware operators.
To mitigate these threats, IT/system administrators can use the following best practices:
Properly categorize users and the networks they access to segment user privileges and network traffic. The risk of exposure to threats can be reduced by only granting enough access or privilege for a user to accomplish his task, or an application to be run.
Implementing two-factor authentication, account lockout policies and setting user permission/restriction rules can help defend against RDP brute force attacks. A bastion host that only allows access to certain IP addresses can also be implemented to reduce and withstand possible attacks.
Moreover, access should be limited to other management protocols such as VNC and SSH. Using a public key infrastructure (PKI) instead of knowledge-based passwords to access protocols like SSH is recommended to achieve a more secure authentication method. Granting limited access to other sensitive ports like TCP 135, 445, 1433 (MSSQL), 3306 (MySQL), and even web management consoles like phpMyAdmin is also recommended as they are popular targets in the wild.
Ensuring that the operating system, software, and other applications are updated with the latest patches prevents threats from exploiting security gaps. This year, the success of attacks by WannaCry, UIWIX, and Adylkuzz have illustrated the consequences of overlooking unpatched vulnerabilities. Employing virtual patching is also an option for shielding systems and networks from unknown vulnerabilities, even without a patch.
For whitelisted applications that have become favorite targets by fileless malware operators, a robust patch management policy that balances business productivity and security is recommended.
Cyber-educate IT/security administrators
Organizations should conduct regular training to ensure that IT/sysadmins have a solid understanding of company security policy and procedure. Vigilantly monitoring the misuse of sysadmin tools can help organizations prevent threats from entering their network.
Sysadmin tools are responsible for making sure that systems and networks are not interrupted so business operations are kept up and running. Besides the abovementioned recommended practices, here are some other recommendations they can take to prevent sysadmin tools from being misused: