Living-off-the-Land Attacks Surge, Attackers Focus on Abusing Legitimate Tools and Services

Living-off-the-Land Attacks Surge, Attackers Focus on Abusing Legitimate Tools and Services

Cybercriminals have long been using legitimate management and administration tools to break into enterprise networks, move laterally within them, and maintain persistence. Lately, the use of these so-called Living-off-the-Land (LotL) tactics has increased substantially.

The current state of LotL attacks


In a recent report, Kaspersky Lab revealed that malicious actors misused legitimate services in 30% of cybersecurity incidents tracked in 2019.
In around 38.6% of the instances, the legit tools were used for the purpose of executing code.
The most frequently used tools include PowerShell, PsExec, SoftPerfect Network Scanner, and ProcDump.
Threat actors used most of these legitimate tools and services for harvesting credentials from memory, evading security mechanisms, and for discovering services in the network.

Recent headline-grabbing incidents


TeamTNT APT was caught using Weave Scope tool as an effective backdoor to infiltrate Docker and Kubernetes platforms. The open-source tool enables attackers to gain full control over the infrastructure without the need to deploy malicious code.
In another analysis, researchers noticed malicious actors abusing Google’s DNS over HTTPS protocol to deploy malicious payload on victims’ machines.
The card-skimming landscape saw a new twist as cybercriminals affiliated with the Magecart group used encrypted messaging service Telegram as a channel for sending stolen credit-card information back to its C2 servers.
Iranian hackers reportedly used Remote Desktop Protocol (RDP) to deploy Dharma ransomware in a targeted attack campaign against Russia, Japan, India, and China.
In mid-June, ESET living attacks surge attackers focus abusing legitimate tools services