Industrial networks in need of RAT control

Remote Administration Tools in ICS environment are an additional risk factor, and not necessarily a justified one.

Remote Administration Tools (RATs) have always been controversial. Yes, they let people avoid direct access to hardware, but at the same time, they put computer systems at risk by opening remote access to equipment. In an industrial environment, remote access is especially dangerous, and so our colleagues from KL ICS CERT undertook a study on how widespread RATs are on industrial computers and what harm they can cause.

According to statistics from Kaspersky Security Network, in the first half of 2018 legitimate RATs were installed on one in three industrial systems using Windows OS. By industrial systems we mean SCADA servers, historian servers, data gateways, engineers’ and operators’ workstations, and human–machine interface computers.

Sometimes, local administrators and engineers use RATs in their daily work. Sometimes, outside parties such as system integrators or industrial control system developers need remote access for diagnostics, maintenance and troubleshooting. So actually, in some cases RATs are used not for operational needs but to lower service costs. And even if they are required for normal technological processes, it is worth assessing possible risks and maybe even restructuring processes to decrease attack surface.

Another possibility cannot be excluded: To deceive protective solutions, malware actors sometimes use legitimate remote administration software as an attack tool.

What is the problem?

It appears that not all specialists understand the dangers of RATs in industrial networks. Here is what our colleagues found about the RATs in the systems they examined:

  • They often used system privileges;
  • They did not let administrators limit access to the system;
  • They did not employ multifactor authentication;
  • They did not log clients’ actions;
  • They contained vulnerabilities — and not only yet-undiscovered ones (in other words, companies aren’t updating their RATs);
  • They used relay servers that made the circumvention of NAT and local firewall restrictions possible;
  • They typically used default passwords or had hardcoded credentials;

In some cases, security teams did not even know that RATs were in use, so they didn’t know they had to consider this attack vector.

But the main problem is that RAT attacks are very difficult to differentiate from normal activity. While investigating ICS incidents our CERT experts have seen many cases when malefactors used remote access tools for attacks.

How to minimize risks

To lower the risk of cyberincidents, Kaspersky Lab ICS CERT recommends taking the following steps:

  • Conduct a thorough audit of remote administration tools used in your technological network, with an emphasis on VNC, RDP, TeamViewer, RMS/Remote Utilities;
  • Get rid of all RATs that cannot be justified by operational needs;
  • Analyze and disable any nonessential remote administration software integrated with automated control system software;
  • In cases when RATs are needed for operations, disable unconditional access. Unconditional access should be enabled only upon a documented request — and only for a limited time;
  • Establish thorough control and event logging for each remote administration session.

You can find the complete report on this study on the Securelist blog. More ICS-related researches, alerts and advisories can be found on Kaspersky Lab ICS CERT website.