The UK’s National Cyber Security Centre (NCSC) has teamed up with counterparts in the US, Canada, Australia and New Zealand to identify popular cyber attack tools and how to defend against them.
The joint five nations’ report aims to help network defenders protect against publicly available tools commonly used by cyber attackers, highlighting the tools’ capability and examples of use.
The report provides an insight into some of the incidents that the five countries are seeing, as well as some advice on the best ways to protect organisations through detection and mitigation.
“The report is a snapshot, rather than a compendium,” the NCSC said in a blog post. “It is certainly not a handy list of everything you need to worry about – that would take a lot more than a few pages. But it does give an indication of how wide the market is for tools that can enable actors to get into a network, execute commands and steal data.”
Many of the tools described in the report are not inherently malicious in nature because they are designed to help penetration testers identify vulnerabilities and fix problems. But they are also being used for malicious purposes, making detection and attribution difficult.
“Today, hacking tools with a variety of functions are widely and freely available for use by everyone, from skilled penetration testers, hostile state actors and organised criminals, through to amateur hackers,” the report said.
The tools detailed in the report have been used to compromise information across a wide range of critical sectors, including health, finance, government and defence.
“Their widespread availability presents a challenge for network defence and actor attribution,” the report said, adding that while cyber actors continue to develop their capabilities, they still make use of established tools and techniques.
“Even the most sophisticated groups use common, publicly available tools to achieve their objectives,” the report said, warning that initial compromises of victim systems are often established by exploiting common security weaknesses.
“Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for an actor to gain access,” the report said.
The NCSC said the report provides “a starting point for understanding the problem and keeping attackers on their toes”.
Read more about the NCSC
- NCSC head calls for technocratic partnership to fix cyber risks.
- The head of the UK’s National Cyber Security Centre has described the attribution of a wave of cyber attacks to Russia’s military intelligence service as “historically important”.
- The NSC started several initiatives in its first year with the aim of using data drawn from those to drive better cyber security practices.
- The National Cyber Security Centre is unashamedly ambitious in aiming to make the UK the safest place to do business online, which chief Ciaran Martin sees as an achievable goal.
- The UK’s NCSC and NCA publish a joint report on the cyber threats facing UK businesses, outlining the best response strategies.
Top of the list are remote access Trojans (RATs), stealthy code that enables attackers to carry out a range of remote functions on a network, including installing backdoors and exfiltrating data.
The report highlights the use of the JBiFrost RAT, which is a variant of the Adwind RAT, with roots stretching back to the Frutas RAT.
“JBiFrost is typically employed by cyber criminals and low-skilled actors, but its capabilities could easily be adapted for use by state actors,” said the report, adding that it poses a threat to several different operating systems, including Windows, Linux, MAC OS X and Android, and allows actors to pivot and move laterally across a network, or install additional malicious software.
“Protection [against RATs] is best afforded by ensuring systems and installed applications are all fully patched and updated,” the report said.
Next is web shells, malicious scripts that can be uploaded to a web server and, similarly, offer remote administrative control.
The report highlights China Chopper, which is used extensively by hostile actors to remotely access compromised web servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device.
Again, the report advises that the most powerful defence is to avoid the web server being compromised by ensuring that all the software running on public-facing web servers is up to date, with security patches applied.
Mimikatz is a tool that was invented to demonstrate a serious flaw in Microsoft Windows password security, but it is now widely used by attackers to steal credentials stored in computer memory.
Mimikatz source code is publicly available, which means anyone can compile their own versions of the tool and potentially develop custom plug-ins and additional functionality, the report warns, noting that updating Windows will help reduce the information available to an actor from the Mimikatz tool.
The report also covers frameworks that enable lateral movement, including popular penetration testing tool PowerShell Empire, which allows attackers to move around a network after gaining initial access and to escalate privileges, harvest credentials and exfiltrate information.
Identifying malicious PowerShell activity can be difficult, the report said, because of the prevalence of legitimate PowerShell on hosts and its increased use in maintaining a corporate environment.
To identify potentially malicious scripts, the report recommends that PowerShell activity should be comprehensively logged.
Command and control obfuscation
It highlights HUC Packet Transmitter (HTran), a proxy tool used to intercept and redirect transmission control protocol (TCP) connections from the local host to a remote host.
“This makes it possible to obfuscate an attacker’s communications with victim networks,” it said. “The tool has been freely available on the internet since at least 2009.” The report noted that network monitoring and firewalls can help prevent and detect unauthorised connections from such tools.
The NCSC noted that many of these tools are used in conjunction with each other, presenting a “formidable challenge” for network defenders.
However, there are some simple steps that can help build the resilience of any organisation and help to protect against malicious activity of this kind, such as using multifactor authentication, segregating networks, setting up a security monitoring capability and keeping systems and software up to date, said the NCSC.
“We at the NCSC know that we can never solve problems on our own, and that is why we are working harder and harder to link up with international partners and experts from industry and academia,” the agency said.
The report said there are several measures that will improve the overall cyber security of any organisation and help protect against the types of tool highlighted, and provides links to guides on key topics such as malware protection, multifactor authentication, network segregation and monitoring, phishing protection and intrusion detection.