Vectra comments on FBI security alert to US private sector
February 2020 by Vectra
The comment by Matt Walmsley, EMEA Director at Vectra on the FBI sending a security alert to the US private sector about hacking campaigns targeting supply chain software providers:
‘Remote Access Trojans (RATs) are an insidious set of attacker tools that invade our systems, data and privacy. With so much legitimate remote access happening across our networks and hosts, there’s plenty of opportunity for RATs to operate undiscovered as they hide in plain sight. The FBI’s report that threat actors are using digital supply chain infections as a distribution means for Kwampirs opens the door for the possibility of widespread deployments. Consider the scope and impact of NotPetya which was embedded into an update service of the popular Ukrainian accounting application M.E. Doc, or the malware that was stealthily placed inside the updates for Avast’s CCleaner.
Whilst it’s good to see government agencies warn about, and provide identification signature profiles for RATs such as Kwampirs, the pathways and services that RATs exploit remain open and hard to monitor for many organisations. Signatures exist for the most common RATs, but skilled attackers can easily customize or build their own RATs using common remote desktop tools such as RDP to exert remote access. This is held up by some recent analysis we made on live enterprise networks that found that 90% of surveyed organisations exhibit a form of malicious RDP behaviours. This type of behavioural detection approach (instead of trying to perfectly fingerprint each RATs’ signature) can be achieved with machine learning models designed to identify the unique behaviours of RATs. By analysing large numbers of RATs, a supervised machine learning model can learn how traffic from these tools differs from normal legitimate remote access traffic and so spot “RATish” behaviour without prior knowledge of the attack, or individual RAT’s code.’