The UK’s National Cyber Security Centre (NCSC) has published a list of the most commonly used and publicly available hacking tools and techniques, in a joint report with its “Five Eyes” intelligence partners: Australia, Canada, New Zealand and the US.
The publication’s explicit aim is to aid the work of network defenders and systems administrators. The report also provides advice on limiting the effectiveness of these tools and detecting their use on a network.
Five Eyes’ Top Five: The Most Widely Used Hacking Tools
The report covers five categories: remote access trojans (RATs), web shells, credential stealers, lateral movement frameworks, and C2 obfuscators.
It focusses on JBiFrost, China Chopper, Mimikatz, PowerShell Empire and HTran.
Reiterating the need for basic security hygiene, the report emphasises that initial compromises of victim systems usually exploit common security weaknesses like unpatched software software vulnerabilities: “The tools detailed here come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim’s systems.”
1: JBiFrost RAT
RATs allow remote administrative control. They can be used to install backdoors and key loggers, take screen shots, and exfiltrate data.
While there are a wide range of RATs circulating, JBiFrost is increasingly being used in targeted attacks against critical national infrastructure owners and their supply chain operators, the NCSC said.
“The JBiFrost RAT is Java-based, cross-platform and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X and Android. JBiFrost allows actors to pivot and move laterally across a network, or install additional malicious software. It is primarily delivered through emails as an attachment.”
Signs of infection include:
- Inability to restart the computer in safe mode
- Inability to open the Windows registry editor or task manage
- Significant increase in disk activity and/or network traffic
- Connection attempts to known malicious IP addresses
- Creation of new files and directories with obfuscated or random names
Regular patching and updating, along with the use of a modern antivirus programme stops most variants, the NCSC said, adding that organisations should be able to collect antivirus detections centrally across its estate. Phishing awareness is also crucial.
2: China Chopper
Web shells are malicious scripts which are uploaded to a target host after an initial compromise. They can then be used to pivot to further hosts within a network. China Chopper, which is just 4kb in size, is a widely used web shell.
Once a machine is compromised, China Chopper can use the file-retrieval tool ‘wget’ to download files from the internet to the target, and edit, delete, copy, rename, and change the timestamp of existing files.
“The most effective way to detect and mitigate China Chopper is on the host itself, specifically on public-facing web servers. There are simple ways to search for the presence of the web shell using the command line on both Linux and Windows based operating systems.” (FireEye has a handy guide… )
To detect web shells more broadly, network defenders should focus on spotting either suspicious process execution on web servers (for example PHP binaries spawning processes), or out-of-pattern outbound network connections from web servers, the report emphasises.
Mimikatz, developed in 2007 by French programmer Benjamin Delpy (see this write-up by Wired for a compelling description of its genesis) collect the credentials of users logged in to a targeted Windows machine, using a Windows process called Local Security Authority Subsystem Service (LSASS).
A user can then escalate privileges within a domain and perform a sweeping range of post-exploitation tasks.
(As Computer Business Review noted in May, a host of security updates in version 1803 of Windows 10 finally made it possible to block credential stealing from lsass.exe).
The tool is powerful, versatile and open-source, so malicious users as well as pen testers can develop custom plug-ins. Its use is widespread by a range of actors.
To start with, defenders should disable the storage of clear text passwords in LSASS memory. This is default behaviour for Windows 8.1/Server 2012 R2 and later but can be specified on older systems which have the relevant security patches installed. (For full details on mitigation strategies, see the Five Eyes report here).
“Wherever Mimikatz is detected, you should perform a rigorous investigation, as it almost certainly indicates an actor actively present in the network, rather than an automated process at work. Several features of Mimikatz rely on exploitation of administrator accounts. Therefore, you should ensure that administrator accounts are issued on an as-required basis only. Where administrative access is required, you should apply Privilege Access Management principles.”
4: PowerShell Empire
The PowerShell Empire framework (Empire) was designed as a legitimate penetration testing tool in 2015.
It allows continued exploitation once an attacker has gained access to a system. The tool provides an attacker with the ability to escalate privileges, harvest credentials, exfiltrate information and move laterally across a network.
(Similar tools include Cobalt Strike and Metasploit).
Because it is built on a common, legitimate application (PowerShell) and can operate almost entirely in memory, Empire can be difficult to detect on a network using traditional antivirus tools. It has become increasingly popular among hostile state actors and organised criminals, the NCSC said.
A recent example includes its use after hostile actor APT19 targeted a multinational law firm with a targeted phishing campaign. APT19 used obfuscated PowerShell macros embedded within Word documents generated by PowerShell Empire
“To identify potentially malicious scripts, PowerShell activity should be comprehensively logged. This should include script block logging and PowerShell transcripts.. A combination of script code signing, application whitelisting and constrained language mode will prevent or limit the effect of malicious PowerShell in the event of a successful intrusion, the NCSC said.
Attackers often seek disguise their location when compromising a target. They may use TOR, or proxy tools like HUC Packet Transmitter (HTran) which is used to intercept and redirect TCP connections from the local host to a remote host. The tool has been freely available on the internet since at least 2009 and regularly observed in compromises of both government and industry targets.
To use it, attackers need access to an exploited machine so all the access control and security patch basics outlined re. the hacking tools above apply. Modern, properly configured and scrutinised network monitoring and firewalls can also typically detect unauthorised connections from tools like HTran.
“HTran also includes a debugging condition that is useful for network defenders. In the event that a destination becomes unavailable, HTran generates an error message using the following format: sprint(buffer, “[SERVER]connection to %s:%d error\r\n”, host, port2); This error message is relayed to the connecting client in the clear. Defenders can monitor for this error message to potentially detect HTran instances active in their environments,” the NCSC notes.
Intruder founder Chris Wallis told Computer Business Review: “This is a great report from the NCSC, highlighting how attackers in general use the easiest methods to compromise their victims, and how these tools are becoming more and more available, constantly lowering the bar for would-be attackers.”
He added: “While the focus here is on how to stifle them after they’ve broken in, which is most useful for companies with in-house cyber expertise, the majority of businesses in the UK rely on their IT managers to keep them safe, who may not have time to implement all the advice given.”
“Much of the advice is also basic cyber hygiene, and simply cherry-picking the basics like ensuring anti-virus is installed and up to date, and making sure internet-facing systems are being proactively monitored for weaknesses can help companies walk the fine line between achieving their business objectives and avoiding a cyber incident.”