Positive Technologies experts conducted a study to identify network attacks and unwanted activity in traffic. According to the results of the analysis, violations of information security regulations were found in 100% of organizations, which could be used by intruders.
Analysts studied the results of pilot projects conducted in 60 companies where the PT Network Attack Discovery (PT NAD) deep traffic analysis system was used. According to the results obtained, violations of information security regulations were identified in all the companies studied, and incidents such as the use of insecure protocols (97% of companies) and remote access software (72%) were found.
Some organizations have been found to be using multiple, insecure protocols at once. In such cases, attackers could intercept information (for example, credentials) that is transmitted over open protocols. Among the software for remote access in organizations where pilot projects were carried out, TeamViewer (70%), AnyDesk (52%) and Ammyy Admin (23%) were used most often.
To minimize the threats associated with the use of remote access tools, experts recommend using only one type of such software (the current version) and delimiting the rights of local and remote users.
Malware activity was detected in 70% of companies. Most often, traces of the work of miners, malware for remote control, and ransomware were found in network traffic.
The researchers concluded that the WannaCry ransomware is still relevant and dangerous, the activity of which was seen in every fifth company. Among spyware, Agent Tesla (found at four companies) and Formbook (at three organizations) are the most popular. Several samples of malware for remote control and espionage were found at two industrial companies at once, which indicates either several facts of compromise, independent of each other, or the loading of additional modules. In one oh financial institution, four programs for espionage and theft of credentials were identified at once.
Suspicious network activity, which includes hiding traffic, getting data from a domain controller, running network scanning tools, was recorded in 93% of the organizations studied.
“Hiding network traffic is one of the main techniques that were identified during traffic analysis: tunneling was detected in 65% of cases, and proxies were detected in 53%,” says Fedor Chunizhekov, an analyst at the Positive Technologies research group. — In order to quietly move around the network and communicate with control servers, attackers can use connections to Tor nodes (detected in 47% of companies), VPN (OpenVPN — in 28% of companies) or non-standard libraries for connecting via the SSH protocol, which is often used by administrators for remote access to resources.
In 17% of companies, multiple failed authentication attempts were identified. According to experts, they may indicate attempts to move through nodes inside the perimeter and move through infrastructure resources. The main danger of such attacks is that user accounts of critical systems and domain administrators can be compromised. It is noted that the usual brute force turned out to be effective in all penetration tests conducted by the company’s experts in 2021-2022.