Legitimate remote administration tools (RAT) pose a serious threat to industrial networks
Legitimate remote administration tools (RAT) pose a serious threat to industrial networks: they are installed on 31.6% of industrial control system (ICS) computers, but often remain unnoticed until the organisation’s security team finds out that criminals have been using a RAT to install ransomware or cryptocurrency mining software, or to steal confidential information or even money. This was discovered by Kaspersky Lab security experts, who conducted dedicated research into the problem.
RATs are legitimate software tools that allow third parties to access a computer remotely. They are often used legitimately by employees at industrial enterprises to save resources, but can also be used by malicious actors for stealthy priviledged access to targeted computers.
According to a report published by Kaspersky Lab ICS CERT, RATs are incredibly widespread across all industries: nearly one third of ICS computers protected by Kaspersky Lab products have RATs installed on them. Even more importantly, almost one RAT in five comes bundled with ICS software by default. This makes them less visible to system administrators and, consequently, more attractive to threat actors.
According to the research, malicious users utilise RAT software to:
- Gain unauthorised access to the targeted network;
- Infect the network with malware to conduct espionage, sabotage and make illegal finanical profits through ransomware operations or by accessing financial assets via the networks attacked.
The most significant threat posed by RATs is their ability to gain elevated privileges in the system attacked. In practice, it means gaining unlimited control over an industrial enterprise, which can result in significant financial losses, as well as a physical catastrophe. Such capabilities are often gained through a basic brute force attack, which involves trying to guess a password by trying all possible character combinations until the correct one is found. While brute force is one of the most popular ways to take control of a RAT, attackers can also find and exploit vulnerabilities in the RAT software itself.
“Given the vulnerabilties that remote administration tools (RATs) present, there are a worrying number of industrial control system (ICS) computers that have these installed. Many organisatons underestimate how great the potential risk associated with RATs is. Recently, Kaspersky Lab has observed attacks on an automotive company, where one of the computers had a RAT installed on it. There were regular attempts to install various malware on the computer over a period of several months. Our solutions blocked such attempts at least twice a week. Had this organisation been unprotected, the consequences would have been unpleasant – to say the least. However, this isn’t to say that companies should immediately remove all RAT software from their networks. These are very useful applications that are able to save businesses time and money. With this said, their presence on a network should be treated with care, particularly on ICS networks, which are often part of critical infrastructure facilities,” said David Emm, Principal Security Researcher at Kaspersky Lab.
To reduce the risk of cyberattacks involving RATs, Kaspersky Lab ICS CERT recommends implementing the following technical measures:
- Audit the use of application and system remote administration tools used on the industrial network. Remove all remote administration tools that are not required by the industrial process.
- Conduct an audit and disable remote administration tools which came with ICS software (refer to the relevant software documentation for detailed instructions), provided that they are not required by the industrial process.
- Closely monitor and log events for each remote-control session required by the industrial process; remote access should be disabled by default and enabled only upon request and only for limited periods of time.
Read the full report on the Kaspersky Lab ICS CERT website.
About Kaspersky Lab ICS CERT
Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) is a global project launched by Kaspersky Lab in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky Lab ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the industrial internet of things. During its first year of operation, the team identified over 110 critical vulnerabilities in products by major global ICS vendors. Kaspersky Lab ICS CERT is an active member and partner of leading international organisations that develop recommendations on protecting industrial enterprises from cyberthreats. ics-cert.kaspersky.com
