Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Legitimate RATs Pose Serious Risk to Industrial Systems

Remote administration tools (RATs) installed for legitimate purposes in operational technology (OT) networks can pose a serious security risk, allowing malicious actors to abuse them in attacks aimed at industrial organizations, Kaspersky Lab warns.

Remote administration tools (RATs) installed for legitimate purposes in operational technology (OT) networks can pose a serious security risk, allowing malicious actors to abuse them in attacks aimed at industrial organizations, Kaspersky Lab warns.

A report published on Friday by the security firm reveals that, on average, in the first half of 2018, legitimate RATs were found on more than two-thirds of computers used for industrial control systems (ICS).

The highest percentage of ICS computers with RATs were found in Kazakhstan, where over half of all analyzed systems had a remote admin tool installed. In the United States, 29% of the devices monitored by Kaspersky had a legitimate RAT. It’s worth noting that this does not include the remote desktop tool found by default in Windows.

Industrial organizations may use RATs to control or monitor HMIs or SCADA systems from a workstation, to connect multiple operators to one workstation, or connect computers on the corporate network to devices on the OT network.

“Some of [these scenarios] indicate that the use of RATs on the OT network can be explained by operational requirements, which means that giving up the use of RATs would unavoidably entail modifications to work processes,” Kaspersky researchers said.

In 18% of cases observed by the security firm, legitimate RATs were installed as part of the ICS software distribution package, while the rest were specifically installed by employees or suppliers. There are also cases where attackers stealthily install RATs to gain access to the targeted organization’s systems.

Legitimately installed tools can introduce serious security risks as they often require elevated privileges, they don’t support two-factor authentication, they don’t restrict local access, they are impacted by vulnerabilities, and they make use of relay servers to bypass security restrictions applied to the network perimeter.

“The most critical RAT-related problem is the use of elevated privileges and the absence of any means to limit these privileges (or to restrict a remote user’s local access). In practice, this means that if attackers (or malware) gain access to a remote user’s computer, steal authentication data (login/password), hijack an active remote administration session or successfully attack a vulnerability in the RAT’s server part, they will gain unrestricted control of the ICS system. By using relay servers for reverse connections, attackers can also connect to these RATs from anywhere in the world,” researchers explained.

Advertisement. Scroll to continue reading.

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

Another problem with the use of RATs is that they make it very difficult for security services and teams to distinguish legitimate activity from malicious activity.

Kaspersky has seen several attacks where malicious actors had installed tools such as TeamViewer or Remote Manipulator System (RMS). However, in the case of a car manufacturer, experts noticed that hackers had abused a tool installed for legitimate purposes after obtaining its access credentials.

“The ability to manipulate the ICS remotely significantly reduces maintenance costs, but at the same time, uncontrolled remote access, the inability to provide 100% verification of the remote client’s legitimacy, and the vulnerabilities in RAT code and configuration significantly increase the attack surface. At the same time, RATs, along with other legitimate tools, are increasingly used by attackers to mask malicious activity and make attribution more difficult,” Kaspersky said.

Related: Energy Sector Most Impacted by ICS Flaws, Attacks

Related: Increasing Number of Industrial Systems Accessible From Web

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...