Threat Intelligence

4/12/2017
05:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Nation-State Hackers Go Open Source

Researchers who track nation-state groups say open-source hacking tools increasingly are becoming part of the APT attack arsenal.

Nation-state hacking teams increasingly are employing open-source software tools in their cyber espionage and other attack campaigns.

For some of these threat groups, it's a cost-saving move and a more efficient early-stage attack method. Using the same hacking tools used by security researchers and penetration testers to root out security weaknesses and exploit holes in enterprise networks saves on development costs. For others, it's purely for camouflaging purposes, providing cover as a legitimate penetration test, for instance.

Kurt Baumgartner, principal security researcher for Kaspersky Lab's Global Research and Analysis Team, says he noticed a spike over the past year or so in the use of open-source hacking tools by some infamous APT groups. Tools such as Metasploit Meterpreter, Cobalt Strike, BeEF (Browser Exploitation Framework), Mimikatz, Pupy, and Unicorn, have all been spotted in use by nation-state hackers.

"APT actors are incorporating more open source into their tooling, and in some cases, abandoning custom and private toolsets in favor" of open source, Baumgartner said in an interview at Kaspersky Lab's Security Analyst Summit in St. Martin last week, where he gave a presentation on a yearlong snapshot he took of this trend.

Newscaster - aka NewsBeef and Charming Kitten - the nation-stage hacking group believed to be out of Iran, in the past year has relied heavily on several open-source hacking tools: BeEF for exploiting holes in browsers, on Unicorn for PowerShell-type attacks, and on Pupy, for planting a remote administration tool, or RAT. This represents a major shift in MO for the attack group, which traditionally had relied on social engineering accounts to target its victims. "They gave up on their old techniques," Baumgartner says. "Now they're using spear phishing with email lures using these toolsets … NewsBeef is not well-resourced, so this enables them to up their game."

Interestingly, one of the most sophisticated and well-oiled attack groups, the Russian-speaking Sofacy, aka Fancy Bear/APT28/Pawn Storm, also has taken a liking to BeEF. Baumgartner says Sofacy/Fancy Bear has employed BeEF to rig a watering-hole attack on a website likely frequented by its targets. In one big attack campaign in July of 2016, they targeted geopolitical targets in the former Soviet republic with a malicious but realistic-looking Adobe Updater on the site, he says. "They were serving their own backdoor from this domain to visitors," he says. The group, which is reportedly linked to the Russian military unit GRU, even included a progress bar with the phony Adobe updater.

Researchers at CrowdStrike and FireEye say they've seen a similar spike in open-source hacking tool usage by nation-states. "It's becoming fairly commonplace," says Adam Meyers, vice president of intelligence at CrowdStrike.

"We've seen a fair amount from Cozy Bear in the past couple of weeks" as well as Charming Kitten using Pupy heavily, he notes. Iranian nation-state group Rocket Kitten also has been spotted running CORE Impact, a commercial pen-testing tool.

Meyers says not only are these groups using open-source hacking tools for obfuscation, but they're also using them to fill gaps in their own toolsheds or as a phase-one attack tool. "Some actors are using this as Phase One" for recon, and then executing their own custom tools for the next phases of the attack, he says. "Their [custom] implants are for collecting and pulling data and long-term continuous monitoring," of the target, he says.

In some cases, it may be more that the attackers are merely leveraging their own training on open-source hacking tools, he says. "They may be receiving commercial-style training."

John Hultquist, manager of the cybersecurity analysis team at FireEye, says the Iranian nation-state Newscaster group also runs Metasploit, and other groups, Cobalt Strike, an emulation tool that mimics red-team operations and attacks. FireEye has seen Iranian, Chinese (APT19), and Palestinian nation-state groups relying on open-source hacking tools for their attacks. "Some actors never created their own tools, so they've relied on outside tools," Hultquist says.

Some notorious Chinese nation-state groups historically have employed open-source tools like Poison Ivy, Ghost Rat, and others, later moving on to PlugX and custom tools. The recent wave of relatively newcomer nation-state groups likely has contributed to the popularity of open-source hacking software, he says.

"The biggest advantage of using those [open source] tools is they forgo tremendous amounts of development time, energy, and money. And from an intel perspective, they provide another level of obfuscation. There's no permanent attribution because these tools are passed around," Hultquist says.

The typical next step for a young nation-state attack group is customization of an off-the-shelf tool. "We've seen Mimikatz customized on many occasions," he says.

Mimikatz, which has been used frequently by the Chinese APT10 cyber espionage group, is used for pilfering credential information from Windows.

Seasoned nation-state attackers have been known to use open-source software as the basis for their hacking tools, building out custom versions. Take the recent finding by researchers from Kaspersky Lab and Kings College of a link between the 1990's cyber espionage attacks against NASA, the US military, Department of Energy, and other government agencies, and the stealthy Russian-speaking attack group Turla. The thread that ties the two attack groups together: the use of the open-source data extraction tool LOKI2, albeit each with their own custom versions of the tool.

Open Source Unmasked

There's some risk to nation-states using open-source tools, however. Take BeEF: its logging feature is very chatty and relatively detailed, so it can inadvertently expose intelligence on the attacker. "Logging is fairly verbose. It keeps track of geolocation" and IP addresses, for instance, Kaspersky Lab's Baumgartner notes.

"The dilemma for [attackers] is they may not realize how much logging is going on," he says. "It's a double-edged sword."

Targeted organizations also can more easily spot and block those tools, which aren't as stealthy as a custom tool. "One of the biggest disadvantages is that we [defenders] know your tool very well… We can build a signature for it," FireEye's Hultquist says.

On the flip side, it's difficult to discern whether a Meterpreter exploit is a legitimate penetration test, a cyber espionage attack, or a financially motived cyberattack. "It's really going to be a problem for attribution and understanding who's targeting your network," he says. "The same actor interested in one employee's credit card may be using the same tool as an actor there to take millions of dollars in intellectual property. Every incident is not equal; sometimes it's clean the machine and move on with your life, and the other can change your life and they can look pretty similar."

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.