RATs are legitimate software tools that allow third parties to access a computer remotely. They are often used legitimately by employees at industrial enterprises to save resources, but can also be used by malicious actors for stealthy priviledged access to targeted computers.
According to a report published by Kaspersky Lab ICS CERT, RATs are incredibly widespread across all industries: nearly one third of ICS computers protected by Kaspersky Lab products have RATs installed on them. Even more importantly, almost one RAT in five comes bundled with ICS software by default. This makes them less visible to system administrators and, consequently, more attractive to threat actors.
According to the research, malicious users utilize RAT software to:
The most significant threat posed by RATs is their ability to gain elevated privileges in the system attacked. In practice, it means gaining unlimited control over an industrial enterprise, which can result in significant financial losses, as well as a physical catastrophe. Such capabilities are often gained through a basic brute force attack, which involves trying to guess a password by trying all possible character combinations until the correct one is found. While brute force is one of the most popular ways to take control of a RAT, attackers can also find and exploit vulnerabilities in the RAT software itself.
“The number of ICS with RATs is worrying, while many organizatons don’t even suspect how great the potential risk associated with RATs is. For example, we have recently observed attacks on an automotive company, where one of the computers had a RAT installed on it. This led to regular attempts to install various malware on the computer over a period of several months, with our security solutions blocking at least two such attempts every week. If that organization had not been protected by our security software, the consequences would have been unpleasant to say the least. However, this doesn’t mean that companies should immediately remove all RAT software from their networks. After all, these are very useful applications, which save time and money. However, their presence on a network should be treated with care, particularly on ICS networks, which are often part of critical infrastructure facilities,” said Kirill Kruglov, senior security researcher at Kaspersky Lab ICS CERT.
To reduce the risk of cyberattacks involving RATs, Kaspersky Lab ICS CERT recommends implementing the following technical measures:
Read the full report on the Kaspersky Lab ICS CERT website.