Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/12/2017
05:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Nation-State Hackers Go Open Source

Researchers who track nation-state groups say open-source hacking tools increasingly are becoming part of the APT attack arsenal.

Nation-state hacking teams increasingly are employing open-source software tools in their cyber espionage and other attack campaigns.

For some of these threat groups, it's a cost-saving move and a more efficient early-stage attack method. Using the same hacking tools used by security researchers and penetration testers to root out security weaknesses and exploit holes in enterprise networks saves on development costs. For others, it's purely for camouflaging purposes, providing cover as a legitimate penetration test, for instance.

Kurt Baumgartner, principal security researcher for Kaspersky Lab's Global Research and Analysis Team, says he noticed a spike over the past year or so in the use of open-source hacking tools by some infamous APT groups. Tools such as Metasploit Meterpreter, Cobalt Strike, BeEF (Browser Exploitation Framework), Mimikatz, Pupy, and Unicorn, have all been spotted in use by nation-state hackers.

"APT actors are incorporating more open source into their tooling, and in some cases, abandoning custom and private toolsets in favor" of open source, Baumgartner said in an interview at Kaspersky Lab's Security Analyst Summit in St. Martin last week, where he gave a presentation on a yearlong snapshot he took of this trend.

Newscaster - aka NewsBeef and Charming Kitten - the nation-stage hacking group believed to be out of Iran, in the past year has relied heavily on several open-source hacking tools: BeEF for exploiting holes in browsers, on Unicorn for PowerShell-type attacks, and on Pupy, for planting a remote administration tool, or RAT. This represents a major shift in MO for the attack group, which traditionally had relied on social engineering accounts to target its victims. "They gave up on their old techniques," Baumgartner says. "Now they're using spear phishing with email lures using these toolsets … NewsBeef is not well-resourced, so this enables them to up their game."

Interestingly, one of the most sophisticated and well-oiled attack groups, the Russian-speaking Sofacy, aka Fancy Bear/APT28/Pawn Storm, also has taken a liking to BeEF. Baumgartner says Sofacy/Fancy Bear has employed BeEF to rig a watering-hole attack on a website likely frequented by its targets. In one big attack campaign in July of 2016, they targeted geopolitical targets in the former Soviet republic with a malicious but realistic-looking Adobe Updater on the site, he says. "They were serving their own backdoor from this domain to visitors," he says. The group, which is reportedly linked to the Russian military unit GRU, even included a progress bar with the phony Adobe updater.

Researchers at CrowdStrike and FireEye say they've seen a similar spike in open-source hacking tool usage by nation-states. "It's becoming fairly commonplace," says Adam Meyers, vice president of intelligence at CrowdStrike.

"We've seen a fair amount from Cozy Bear in the past couple of weeks" as well as Charming Kitten using Pupy heavily, he notes. Iranian nation-state group Rocket Kitten also has been spotted running CORE Impact, a commercial pen-testing tool.

Meyers says not only are these groups using open-source hacking tools for obfuscation, but they're also using them to fill gaps in their own toolsheds or as a phase-one attack tool. "Some actors are using this as Phase One" for recon, and then executing their own custom tools for the next phases of the attack, he says. "Their [custom] implants are for collecting and pulling data and long-term continuous monitoring," of the target, he says.

In some cases, it may be more that the attackers are merely leveraging their own training on open-source hacking tools, he says. "They may be receiving commercial-style training."

John Hultquist, manager of the cybersecurity analysis team at FireEye, says the Iranian nation-state Newscaster group also runs Metasploit, and other groups, Cobalt Strike, an emulation tool that mimics red-team operations and attacks. FireEye has seen Iranian, Chinese (APT19), and Palestinian nation-state groups relying on open-source hacking tools for their attacks. "Some actors never created their own tools, so they've relied on outside tools," Hultquist says.

Some notorious Chinese nation-state groups historically have employed open-source tools like Poison Ivy, Ghost Rat, and others, later moving on to PlugX and custom tools. The recent wave of relatively newcomer nation-state groups likely has contributed to the popularity of open-source hacking software, he says.

"The biggest advantage of using those [open source] tools is they forgo tremendous amounts of development time, energy, and money. And from an intel perspective, they provide another level of obfuscation. There's no permanent attribution because these tools are passed around," Hultquist says.

The typical next step for a young nation-state attack group is customization of an off-the-shelf tool. "We've seen Mimikatz customized on many occasions," he says.

Mimikatz, which has been used frequently by the Chinese APT10 cyber espionage group, is used for pilfering credential information from Windows.

Seasoned nation-state attackers have been known to use open-source software as the basis for their hacking tools, building out custom versions. Take the recent finding by researchers from Kaspersky Lab and Kings College of a link between the 1990's cyber espionage attacks against NASA, the US military, Department of Energy, and other government agencies, and the stealthy Russian-speaking attack group Turla. The thread that ties the two attack groups together: the use of the open-source data extraction tool LOKI2, albeit each with their own custom versions of the tool.

Open Source Unmasked

There's some risk to nation-states using open-source tools, however. Take BeEF: its logging feature is very chatty and relatively detailed, so it can inadvertently expose intelligence on the attacker. "Logging is fairly verbose. It keeps track of geolocation" and IP addresses, for instance, Kaspersky Lab's Baumgartner notes.

"The dilemma for [attackers] is they may not realize how much logging is going on," he says. "It's a double-edged sword."

Targeted organizations also can more easily spot and block those tools, which aren't as stealthy as a custom tool. "One of the biggest disadvantages is that we [defenders] know your tool very well… We can build a signature for it," FireEye's Hultquist says.

On the flip side, it's difficult to discern whether a Meterpreter exploit is a legitimate penetration test, a cyber espionage attack, or a financially motived cyberattack. "It's really going to be a problem for attribution and understanding who's targeting your network," he says. "The same actor interested in one employee's credit card may be using the same tool as an actor there to take millions of dollars in intellectual property. Every incident is not equal; sometimes it's clean the machine and move on with your life, and the other can change your life and they can look pretty similar."

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19033
PUBLISHED: 2019-11-21
Jalios JCMS 10 allows attackers to access any part of the website and the WebDAV server with administrative privileges via a backdoor account, by using any username and the hardcoded dev password.
CVE-2019-19191
PUBLISHED: 2019-11-21
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.
CVE-2019-15511
PUBLISHED: 2019-11-21
An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed....
CVE-2019-16405
PUBLISHED: 2019-11-21
Centreon Web 19.04.4 allows Remote Code Execution by an administrator who can modify Macro Expression location settings.
CVE-2019-16406
PUBLISHED: 2019-11-21
Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron.