What’s your biggest concern when it comes to cyberthreats and malware? If you’ve been following cybersecurity trends over the last few years, ransomware might be your focal point when it comes to bolstering network defenses. (For more on ransomware, see The Ability to Combat Ransomware Just Got a Lot Tougher.)
The data shows that attackers aren’t always looking for an immediate payoff: For the first time ever, a remote access Trojan (RAT), which enables hackers to control compromised systems and exfiltrate sensitive data, has appeared in the “Top 10 Most Wanted Malware” list.
Even though they’ve existed for nearly two decades, the truth is that most businesses aren’t prepared for this powerful form of malware.
Why Are Remote Access Trojans such a Threat?
A remote access Trojan is similar to any other Trojan-type malware in that it enters your system disguised as legitimate software. But unlike other Trojans, RATs create backdoors in your systems that give attackers admin control over the infected endpoints.
One reason that RATs have become so common in recent months is that it’s easier than ever for attackers to build them. There are hundreds of different toolkits that give cybercriminals everything they need to build RATs and start distributing them through all kinds of social engineering attacks.
It takes just one employee to open a malicious attachment loaded with a remote access Trojan for attackers to infiltrate your network. This is especially problematic since RATs have proven particularly difficult to detect.
Take the most popular RAT, FlawedAmmyy, as an example. Because FlawedAmmyy is built from the source code behind Ammyy Admin, a common remote desktop software, many security systems will fail to identify suspicious activity on your network.
Once a RAT like FlawedAmmyy has infected your machines, attackers can lay low for days or even weeks, marshaling their ability to:
- Monitor your behavior by installing keyloggers and spyware through the backdoor
- Steal confidential information, personal data and credentials
- Spy on you by activating both the webcam and microphone on your endpoint
- Take screenshots of activity on your screen
- Exfiltrate sensitive data by accessing your file management tools
- Reconfigure device drivers to create new vulnerabilities in your network
With the rise of ransomware and cryptominers, data-based threats like RATs seemed to become less attractive to cybercriminals. However, Check Point threat intelligence group manager Maya Horowitz, says that’s no longer the case:
While cryptominers remain the dominant threat, this may indicate that data such as login credentials, sensitive files, banking and payment information haven’t lost their lucrative appeal to cybercriminals.
But just because attackers are building RATs to look like legitimate software doesn’t mean you’re doomed to suffer an attack. There are practical steps you can take to protect yourself (and your network) from the rise of remote access Trojans. (To learn more about cryptomining, check out Hacking Cryptocurrencies.)
Defending Against Remote Access Trojans
The good news regarding RATs is that you can defend yourself the same way you ward off any other malware threats. However, the volume and sophistication of today’s malware threats have complicated cybersecurity strategies. And for remote access Trojans, the stakes are higher than they are for lesser forms of malware.
First and foremost, a RAT defense strategy depends on enterprise-wide security awareness training. Human error is the underlying cause of over 90 percent of security incidents and there’s no exception when it comes to RATs. Because this malware is generally executed through infected links and attachments in phishing campaigns, you need employees to be hyper-vigilant to avoid unintentionally compromising your network.
However, security awareness training will only get you so far. No matter how much training you invest in, people will still make mistakes. You need a multi-layered defense strategy that combines different security appliances and software solutions to provide effective protection for your endpoints. To defend against RATs and other dangerous malware, your multi-layered defense should include:
- Strict access control procedures: RATs are often used to compromise admin credentials that provide access to more valuable data on your network. With strict access controls, you can limit the impact of compromised credentials. This means implementing two-step verification to go beyond simple passwords during login attempts, whitelisting IP addresses for authorized users, deploying more advanced antivirus solutions and making firewall configurations stricter.
- Secure remote access solutions: Each new endpoint that connects to your network represents a potential system for attackers to compromise using RATs. To limit the attack surface, remote access should only be allowed via secure connections created with hardened secure gateways or virtual private networks (VPNs). But beyond that, it helps to use a clientless remote access solution that does not require additional software and plugins on end-user devices, which are easy targets for attackers.
- Zero-trust security technologies: Zero-trust security models have gained traction, thanks to their “never trust, always verify” approach. Rather than giving admins credentials for total access across the network, zero-trust security solutions provide granular control over lateral movements that attackers use to find valuable data.
These three strategies combine to create a more secure environment for both on-site and remote workers. While it’s still important for employees to pay close attention to suspicious emails and links, integrating these components of a multi-layered defense strategy will help you avoid disaster even when human error comes into play.
Remote Access Trojans and Advanced Persistent Threats
One final, important note about RATs is that they aren’t just tools for short-term financial gains on the part of cybercriminals. While ransomware and cryptominers have given hackers plenty of ways to execute quick, lucrative attacks, you can’t forget about the dangers of advanced persistent threats (APTs).
Compromising one machine with a remote access Trojan may be only the beginning of an attack. Because it’s so difficult to detect RATs, backdoors can remain open for long periods of time. This gives attackers the opportunity to compromise other devices, move laterally within your network, and exfiltrate additional sensitive data that results in more costly incidents.
Don’t let RATs open your organization to the risk of multimillion-dollar data breaches. Take all steps necessary to prepare your workforce for these threats and harden your systems to withstand human errors that create vulnerabilities for RATs to exploit.