sb-au logo
Story image

Remote administration tools bring unexpected threats to industrial networks

Legitimate remote administration tools (RAT) pose a serious threat to industrial networks: they are installed on 31.6% of industrial control system (ICS) computers, but often remain unnoticed until the organisation’s security team finds out that criminals have been using a RAT to install ransomware or cryptocurrency mining software, or to steal confidential information or even money. 

This was discovered by Kaspersky Lab security experts, who conducted dedicated research into the problem.

RATs are legitimate software tools that allow third parties to access a computer remotely. They are often used legitimately by employees at industrial enterprises to save resources, but can also be used by malicious actors for stealthy privileged access to targeted computers.

According to a report published by Kaspersky Lab ICS CERT, RATs are incredibly widespread across all industries: nearly one-third of ICS computers protected by Kaspersky Lab products have RATs installed on them. 

Even more importantly, almost one RAT in five comes bundled with ICS software by default. This makes them less visible to system administrators and, consequently, more attractive to threat actors.

According to the research, malicious users utilise RAT software to:

1. Gain unauthorised access to the targeted network.

2. Infect the network with malware to conduct espionage, sabotage and make illegal financial profits through ransomware operations or by accessing financial assets via the networks attacked.

The most significant threat posed by RATs is their ability to gain elevated privileges in the system attacked. In practice, it means gaining unlimited control over an industrial enterprise, which can result in significant financial losses, as well as a physical catastrophe. 

Such capabilities are often gained through a basic brute force attack, which involves trying to guess a password by trying all possible character combinations until the correct one is found. While brute force is one of the most popular ways to take control of a RAT, attackers can also find and exploit vulnerabilities in the RAT software itself.   To reduce the risk of cyber attacks involving RATs, Kaspersky Lab ICS CERT recommends implementing the following technical measures:

1. Audit the use of application and system remote administration tools used on the industrial network, such as VNC, RDP, TeamViewer, RMS / Remote Utilities. Remove all remote administration tools that are not required by the industrial process.

2. Conduct an audit and disable remote administration tools which came with ICS software (refer to the relevant software documentation for detailed instructions), provided that they are not required by the industrial process.

3. Closely monitor and log events for each remote control session required by the industrial process; remote access should be disabled by default and enabled only upon request and only for limited periods of time.

Story image
Video: 10 Minute IT Jams - Who is Vectra AI?
Today, Techday spoke with Vectra AI head of security engineering Chris Fisher, who discusses the company's key products and offerings, updates on its operations in the A/NZ region, and the latest improvements on its products.More
Story image
Malware and email scams targeting employees spread rapidly in Q2
"Businesses must stay alert and should employ defense-in-depth tactics and equip themselves with multilayered security mechanisms, including high-sensor spam filters and a VPN connection, which would prevent malicious pages from opening."More
Story image
Ripple20 threat could affect 35% of all IT environments – ExtraHop
The vulnerabilities have the potential to ‘ripple’ through complex software supply chains, enabling attackers to steal data or execute code.More
Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More
Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More
Story image
75% of IT execs 'worried' about being targeted in cyber-attack
A new report from ConnectWise has shed light on the widespread concern about cyber-attacks, with 91% of SMB executives considering a move to an MSP if it provided the 'right' solution.More