Protecting The Business From RAT Infestation
Curt Wilson, research analyst at Arbor Networks, tells you how to get rid of nasty RATs
Remote Access Trojans (RATs) are one of the most dangerous tools in attackers’ arsenals. Over the past few years a number of different types of RAT, such as Dark Comet, have made headlines because they have been used in high profile espionage attacks against governments and organisations.
A RAT is computer software that includes a back door for administrative control over a target computer. RATs can be used for legitimate purposes, but when criminal attackers wield them they can be very dangerous. They are normally downloaded invisibly, or as part of a “social engineering” campaign. Once a host system is compromised, an intruder can use it to distribute additional RATs or other malware to other vulnerable computers.
RATs in control
Once a RAT is installed on a machine, the intruder can do just about anything on the targeted computer, including: monitoring keystrokes, controlling file upload/download, stealing files, stealing passwords or access keys, accessing network resources such as file shares, email, databases and source code repositories, spying via webcam or microphone, and downloading and installing additional malware.
Attackers with a specific goal in mind will often move laterally once the network has been compromised. Any additional vulnerable resources that the attacker can reach could become stepping-stones on the way to the actual target. Once inside, attackers have been known to create several backdoors for themselves so if one access method is discovered, another can be used in order to regain access to the victim network. These features make RATs a challenging threat to organisations.
But perhaps the nastiest thing RATs do is steal intellectual property. When employed by a focused attacker, a RAT can be used to gain access to core and sensitive areas of an organisation’s network. If a company is infected by a RAT, it is advisable they contact law enforcement authorities and preserve as much evidence as possible while they undertake an extensive investigation to determine what assets may have been stolen. Even if an organisation does not deem their digital assets to be of particular value, the network could be linked to another one that contains highly sensitive information, which, in the hands of an attacker, could have disastrous consequences.
However, there are a number of steps organisations can take to minimise the risk of falling victim to a RAT attack. First and foremost, an organisation must identify its digital assets – this will help it to understand its potential level of threat. Once it understands where in the network its most critical assets lie, it can then decide which areas need to have the highest level of protection.
It is also important to understand the network structure. Is the critical information linked to anything within the network which does not have the same level of protection? Attackers will always try to find the weakest link in the chain. One area of an organisation’s network may be deemed low sensitivity so it may not need to be heavily protected. However, organisations must ensure that this area is completely segmented from critical digital assets. Otherwise, attackers could find this is an easy entry point that allows them to burrow deeper into their target. The modern trend of Bring Your Own Device (BYOD) provides more avenues for an attacker, especially if BYOD systems are not secured properly.
Secondly organisations should implement a robust and frequently reviewed authorisation policy across the network. This means no employees have unnecessary access to more sensitive areas of the network and thus only those with the correct authorisation are provided full access. By limiting access like this, the attackers have a smaller target to hit.
Gone phishing for RATs
One of the most common ways for an organisation to become infected with a RAT is through spear-phishing. This is when an attacker will send an email to a user that is disguised to look safe but actually contains malware. Once the email has been opened or the victim clicks on a malicious link, the attacker can then deploy a RAT on their system, which may give access to the entire network.
To help combat this particular attack vector, it is vital that organisations properly educate their staff on safe cyber-security practices. As has been demonstrated in previous attacks, basic human weakness is often targeted by attackers.
It is well known that organisations should educate employees not to open emails or download attachments from unknown senders and not click on any suspicious links. This approach helps, yet attackers can spoof email – posing as mail from someone else – and pretend to be part of an expected communication or a communication of interest to the targeted parties. Various types of trickery are used to disguise links, making them look legitimate. These crafty invasions are harder to spot. A review of past RAT campaigns can give organisations an idea of these general attack tactics in use so users can be more aware.
Software flaws
Vulnerable software is one of the other vectors that attackers use to deploy a RAT. Therefore, organisations should ensure that robust software patching processes are in place. Software bugs in web browsers, mail software, Microsoft Office, Java, Acrobat Reader, Flash and other applications have been used by criminal attackers with great success. Recently patched vulnerabilities are commonly attacked, but attackers have also had success using old security holes – in some cases years old – that organisations may not patch for a long period, if ever.
Finally, organisations should also implement technology solutions to keep the network safe from attack. A solid anti-malware package from a reputable vendor can provide some value. Unfortunately, attackers often bypass antivirus software, but it may still provide a valuable alert when it matters most, if that alert can be properly interpreted. Alerts can also be generated in the event of suspicious activity on the host that might indicate a compromise. But due to the challenge of false positives, many organizations may not be running anti-malware applications at the highest security settings, which can allow attackers more room to manoeuvre.
While firewalls and intrusion detection/prevention systems can be a weak link, causing outages during Distributed Denial of Service (DDoS) attacks, it may be helpful to implement internal network firewalls to segment the network and to consider deploying one or more internal Intrusion Detection Systems (IDS) to alert on unusual traffic. Deploying an IDS can help, especially when it is carefully used to detect outbound traffic that matches known RAT traffic patterns. If defenders know their networks well, these unusual traffic patterns can be red flags alerting to compromise.
RATs are highly dangerous and they are popular amongst the ‘bad guys’. Organisations can minimise the risk they pose by providing security departments with adequate resources to detect and respond to such threats. However, like all IT security issues, there is no one-size-fits-all solution. Organisations therefore need to have a good understanding of their own network and identify what areas are most at risk – how is the network structured? Who has access to sensitive data and what level of protection is required? Combining this knowledge with security best practices such as encrypting sensitive data can help provide a robust defence that will help protect the business from a nasty RAT infestation.