CAMO demonstrates attackers’ increasing use of legitimate IT tools to bypass security controls and conduct malicious activities, which enable adversaries to spread ransomware, scan networks, move laterally, and establish command-and-control operations, often misleading security personnel during investigations.
Cybercriminals increasingly exploit legitimate software to carry out attacks, disguising their malicious activities as routine IT operations, which has seen a significant rise in 2024, posing a growing threat to organizations worldwide.
It exploits legitimate software’s intended functionality to enable undetected adversaries, which are often open-source or illegally modified, bypass security policies and lack comprehensive inventories, making them difficult to detect.
Adversaries on cybercriminal forums often discuss the use of legitimate tools for malicious activities by sharing insights into the tools they prefer, their advantages, and how to avoid detection. For example, they frequently discuss using software deployment tools like PDQ Deploy and command-line programs like Rclone for data exfiltration.
They are increasingly using legitimate software, such as SoftPerfect and RMM tools, to conduct attacks when cracked or used improperly, which can provide a stealthy means of initial access and lateral movement.
The widespread availability of free or cracked versions of these tools lowers the barrier to entry for attackers, enabling them to execute more sophisticated attacks.
The Medusa ransomware group used PDQ Deploy to spread ransomware in a compromised environment, avoiding detection by blending in with other legitimate PDQ tools. The attackers obtained initial access through a compromised VPN account and dumped credentials to gain further access.
PDQ Deploy, a legitimate application deployment tool, was leveraged by the threat actor Medusa to distribute and execute ransomware across multiple Windows hosts.
The ransomware, upon execution, created the file “!!!READ_ME_MEDUSA!!!.txt” on each affected system, which highlights the threat actors’ adaptability in exploiting legitimate software to circumvent traditional ransomware mitigation strategies.
Network segmentation is a crucial mitigation technique for ransomware attacks. By creating distinct network zones using VLANs, firewalls, ACLs, and NAC, organizations can isolate sensitive data and critical systems, limiting the potential damage of a successful breach.
The attackers leveraged Total Software Deployment to install ScreenConnect on multiple hosts, facilitating lateral movement and enabling access to compromised systems.
This exploitation of trusted tools demonstrates the attackers’ understanding of enterprise security measures and their ability to bypass detection, hindering containment efforts and increasing the risk of total compromise.
The “Inc Ransom” group exploited an EMS SQL injection vulnerability to gain initial access, installed the RMM tool AnyDesk for C2, and used SoftPerfect to scan the network for vulnerable systems.
They exfiltrated data using Restic, renamed “winupdate.exe,” to evade detection. To mitigate this, organizations should block unauthorized cloud services, whitelist authorized backup utilities, and monitor for access to restricted data.
Black Basta leveraged the legitimacy of RMM tools like AnyDesk to deceive users in a social engineering campaign. By impersonating IT support, they gained access to systems and stole credentials.
According to Relia Quest, to mitigate this, organizations should restrict access to unauthorized RMM tools and allowlist only approved vendors and geographic locations.