30.7 C
New York
Saturday, June 25, 2022

Buy now


Industrial networks that need control of RAT

Remote Administration Tools (RAT) have always been highly controversial. Yes, they allow users not to have to directly access the hardware, but at the same time, they put the computer systems at risk by opening access to the computer remotely. In the industrial sector, this type of access is especially dangerous and that is why our colleagues at KL ICS CERT carried out a study on the scope of RATs in industrial computers and the damage they can cause.

According to Kaspersky Security Network statistics, in the first half of 2018, legitimate RATs were installed on one in three industrial systems running Windows OS. By industrial systems we mean SCADA servers, historian servers, data gateways, engineering and operator workstations, and computers that interfere between the user and the device.

Some administrators and engineers use RAT in their daily work routine and other external agents such as industrial control system developers or system integrators need remote access to diagnosis, maintenance and troubleshooting. So, in reality, in some cases RATs are not used for operational needs, but to lower service costs. And, even if they are necessary in routine technology processes, it is worth evaluating the possible risks and even restructuring processes to reduce the attack surface.

If you are an IT professional and you frequently need to administer servers and other computer systems. You should invest in a remote administration tool (RAT). A RAT is automatically configured by your local server administrators to run on their behalf when they are not available. This means that you can easily manage your server without having to go through your IT team.

What is the problem?

It seems that not all specialists understand the dangers of RATs in industrial networks. Here’s what our peers discovered about RATs in the systems they examined:

  • They often used system privileges.
  • They did not allow administrators to limit access to the system.
  • They did not use multi-factor authentication.
  • They did not record customer actions.
  • They contained vulnerabilities and not just unknown ones (ie companies didn’t update their RATs).
  • They used relay servers that circumvent network address translation and possible firewall restrictions on-premises.
  • They typically used default passwords or highly encrypted credentials.

In some cases, security teams didn’t even know which RAT was in use. So they were unaware that they had to consider this attack vector.

But the main problem is that it is very difficult to differentiate a RAT attack from normal activity. During the investigation of ICS incidents, our CERT experts witnessed many cases where cybercriminals used remote access tools in their attacks.

How to minimize the risks

To reduce the risk of cyber incidents, Kaspersky Lab ICS recommends the following steps:

  • Perform comprehensive audits of the remote administration tools used in your technology network. With an emphasis on VNC, RDP, TeamViewer, RMS/Remote Utilities.
  • Get rid of all RATs that are not justified by operational needs.
  • Scan and disable any unnecessary remote management software with automated control system software.
  • If RATs are need for operations, disable unconditional access. This access should be disable only upon justified request and only for a limited time.
  • Comprehensively monitor and log the events that occur during each remote management session.


Related Articles


Please enter your comment!
Please enter your name here

- Advertisement -spot_img

Latest Articles