Just under one third of ICS computers have legitimate remote administration tools (RATs) installed on them, a new survey found.
This poses a serious threat to industrial networks as cybercriminals can use RATs to install ransomware or cryptocurrency mining software, or steal confidential information and money, said researchers from Kaspersky Lab.
In the survey, 31.6 percent of ICS computers protected by Kaspersky Lab products have legitimate remote administration tools (RATs) installed on them, a new survey found.
Almost one-in-five (18.6 percent) RATs come bundled with ICS software by default. This makes RATs even less visible to system administrators and consequently more attractive to threat actors. RATs are often used legitimately by employees at industrial enterprises to save resources, but can also end up used by attackers for stealthy privileged access to targeted computers without computer users knowing until the organization’s security team finds it.
The most significant threat posed by RATs is their ability to gain elevated privileges in the system attacked.
This type of access is often gained through a basic brute force attack, which involves trying to guess a password by trying all possible character combinations until the correct one is found. While brute force is one of the most popular ways to take control of a RAT, attackers can also find and exploit vulnerabilities in the RAT software itself. According to the research, malicious users utilize RAT software to:
• Gain unauthorized access to the targeted network
• Infect the network with malware to conduct espionage, sabotage and make illegal financial profits through ransomware operations, or by accessing financial assets via the networks attacked.
“The number of ICSs with RATs is worrying, while many organizations don’t even suspect how great the potential risk associated with RATs is,” said Kirill Kruglov, senior security researcher at Kaspersky Lab ICS CERT. “For example, we recently observed attacks on an automotive company, where one of the computers had a RAT installed on it. This led to regular attempts to install various malware on the computer over a period of several months, with our security solutions blocking at least two such attempts every week. However, this doesn’t mean that companies should immediately remove all RAT software from their networks. After all, these are very useful applications, which save time and money. However, their presence on a network should be treated with care, particularly on ICS networks, which are often part of critical infrastructure facilities.”