Read Time:1 Minute, 15 Second
Cybercriminals are evolving their tactics, leveraging legitimate software to evade detection and compromise systems. By blending into normal network traffic, these actors render traditional security measures ineffective, making threat mitigation challenging.
Recent Findings
Research from ReliaQuest has revealed a sharp surge in cyber incidents involving legitimate software for malicious operations (CAMO). CAMO exploits include:
- PDQ Deploy, Total Software Deployment (TSD): Remote deployment and management tools
- RMM software, e.g., AnyDesk, ScreenConnect: Remote access and management tools
Challenges Posed by CAMO
CAMO presents unique challenges due to its ability to: - Evade security policies
- Disguise malicious activities as legitimate IT operations
- Complicate threat detection and incident response
Mitigating CAMO-Based Attacks
To counter CAMO attacks, organizations should implement defense-in-depth strategies such as: - Network Segmentation: Isolate critical assets using VLANs and DMZs.
- Application Whitelisting: Block unauthorized software execution through WDAC or AppLocker.
- Strict RMM Control: Monitor and restrict the use of RMM tools.
Additional Recommendations - Incorporate CAMO awareness into incident response plans and risk assessments.
- Implement data exfiltration prevention measures, blocking unauthorized cloud services and monitoring sensitive data access.
Current and Future Trends
The use of CAMO is expected to persist, with threat actors leveraging this tactic for both simple and sophisticated attacks. Nation-state groups, such as “Cozy Bear,” are incorporating legitimate behavior into custom malware for data exfiltration.
Conclusion
Cybercriminals are relentlessly finding new ways to exploit legitimate software for malicious purposes. By understanding these tactics and implementing robust security measures, organizations can enhance their defenses and mitigate the risks associated with CAMO-based attacks.