The old saying goes, “For every job, there is a tool.” In targeted cyber operations, the tools are often custom-designed for the specific job they’re doing. For example, Stuxnet zeroed in on a specific product made by a specific manufacturer as used in a specific country during a specific time period.
These tools are often devastating because they are tailored for the exact target at which they are aimed, and they have often taken into consideration the target’s defensive posture in order to neutralize it. But a new report by the UK’s National Cyber Security Centre (NCSC) draws attention to almost the opposite problem – the danger posed by a proliferation of generic, publicly available hacking tools that threat actors of all skill levels can, and indeed are, using with increased frequency and success.
The NCSC’s October 11 report, which was the result of a joint effort by the so-called Five Eyes governments (Australia, Canada, New Zealand, the U.K, and the U.S.), highlights five commonly seen, publicly available tools, all used after initial compromise. The report provides advice on how to limit their effectiveness.
The trend in the increased use of public tools is one we have noticed and are following at Cylance. In this blog post, we’ll take a look at the five tools identified by the Five Eyes and offer some commentary from the NCSC’s Report.
RATs (Remote Access Trojans)
Often used in the early stages of a campaign, RATs allow the threat actor to assume remote control of a target system. They carry a host of variable features which allow for theft of credentials, installation of backdoors, etc.
NCSC highlights JBiFrost, a variant of Adwind, which in turn is derived from Frutas. NCSC says that it is most commonly used by low-level threat actors but could also be adopted by state actors. NCSC says several well-known APT groups are known to use other RATs (and the ones they mention have been associated in public security research with Chinese actors).
They conclude by saying, “Since early 2018, we have observed an increase in JBiFrost being used in targeted attacks against critical national infrastructure owners and their supply chain operators.”
These are scripts which also allow remote access and are often used early in attacks or campaigns in order to establish presence before moving laterally. They frequently target web servers.
NCSC’s example is China Chopper. They point out that it has been in widespread use since 2012, and is lightweight and easily modified. NCSC says, “In summer 2018, threat actors were observed targeting public-facing web servers vulnerable to CVE-2017-3066. The activity was related to a vulnerability in the web application development platform Adobe ColdFusion, which enabled remote code execution. China Chopper was intended as the second-stage payload, delivered once servers had been compromised, allowing the attacker remote access to the victim host.”
These are any tools that are designed to collect credential information, either in plain text or in hashed form, including keyloggers.
The example given by NCSC is Mimikatz. NCSC explains how it works and that it was developed as a pentesting tool but has since been adopted by threat actors. They say, “Mimikatz was used in conjunction with other hacking tools in the 2017 NotPetya and BadRabbit ransomware attacks to extract administrator credentials held on thousands of computers.”
Lateral Movement Frameworks
Just as the name suggests, these tools allow the threat actor to move within the network after the initial compromise.
NCSC mentions PowerShell Empire as an example, while also giving special mention to Cobalt Strike and Metasploit, all of which were designed by pentesters for network defense but which, like Mimikatz, have also been adopted by malicious actors.
Of PowerShell Empire, NCSC points out that this tool was observed in use in the 2018 compromise of a U.K. energy company, a Winter Olympics-themed spearphishing campaign that targeted several South Korean organizations, as well as being used in attacks on law firms and academic institutions by advanced persistent threat groups.
C2 Obfuscation Tools
C2 Obfuscation Tools are tools that help to hide the infrastructure used to control the malware used in an attack.
HTran is the example given here by NCSC. And while they do not go into detail about HTran’s application in any specific incidents, they acknowledge that the cybersecurity authorities of all five governments were aware of HTran’s successful use in keeping targeted attacks hidden from defenders for months at a time.
Cylance has observed a marked increase in the use of publicly available RATs by several threat actor groups, including those we believe may be state or state-sponsored.
What’s intriguing about their use, as well as that of the other public hacking tools, are the potential motives behind their use. This is something not addressed in the NCSC Joint Report.
For low-level threat actors, the choice makes clear economic sense. Publicly available tools are obviously free and require neither skill to natively develop, nor an investment in R&D, nor an outlay of cash to obtain.
Even sophisticated threat actors capable of developing their own custom tools are doing so less often, particularly when it comes to RATs. State or state-sponsored groups possess the skill, the time, the resources, and the means to develop or purchase all five of these kinds of tools themselves, and yet we have seen an increase in use of public RATs by these groups. The reason is likely two-fold:
- RATs are frequently used to help establish a foothold during an operation - if they are caught and burned before the ultimate objective is achieved, not much is lost - the tools are expendable.
- The use of public RATs makes attribution harder - if the malware is available to everyone, then an individual’s fingerprints are harder to lift and the threat actor can hide in an impossibly large group of suspects.
The other noteworthy takeaway from the NCSC report is the inclusion, among several of the examples of the problem in action, of so many pentesting tools.
Most of the discussion of the Lateral Movement and Credential Stealing tools involved programs originally designed by pentesters. When used by network defenders, we call these programs tools. When used by threat actors, we call them malware.
Without knowing who is wielding them, it can be hard for network defenders to know whether they are seeing pentest activity or a real attack. Cylance researchers are at work on a Threat Intelligence Report we hope will explore and address this issue in greater detail.
For now, it’s worth considering that publicly available pentest tools may be chosen by threat actors with increasing frequency because, if caught, they provide yet another means of cover and a mechanism by which to frustrate attempts at attribution.
Finally, there may be one more important reason why actors of all levels of sophistication are turning to public hacking tools more and more – they are tried and tested. Like many open-source development projects, these tools have withstood testing and modification by a huge number of contributors simply by nature of the fact that they are public. If used, the operator can be assured that they work. And that takes the guesswork out of at least one part of a threat actor’s operation.
In summary, readers should review the NCSC report and remain vigilant if and when they encounter any of these five public hacking tools. They may seem boring and pedestrian on their face because they are so widely known, but their presence in your network may portend the work of a state actor or more serious threat.