What one threat group’s work tells us about the use of legit tools for illegitimate ends

IT specialist Mario Haustein works on a computer with the operating system Linux at the computer center of the Technical University in Chemnitz, Germany, 8 March 2017. Many software applications of the TU run on Linux-based systems. Thousands of guests from all over Europe are expected at the 19th Chemnitz Linux Days (11 Р12 March). Photo:...

There’s an ongoing debate within the threat intelligence community about whether open source and commercially available penetration testing tools do more harm than good. While they allow defenders to meaningfully probe and test an organization’s security, they’re often so good at their jobs that they end up becoming staples in the kill chain of many cybercriminal groups.  

Consider a recent incident response where researchers at Advanced Intelligence recently were able to work out the exact kill chain used by a Ryuk ransomware group that includes 15 different steps from the initial infection point to the delivery of ransomware payloads onto a victim’s network. While the attackers certainly uses pure malware, like BazarBackdoor, BazarLoader and Ryuk, many of the intermediate steps in the kill chain involve commercial or open source tools.

“The group behind prefers to leverage pentester toolkits favoriting Cobalt Strike beacon as an immediate post-exploitation payload of choice” as well as other open source tools, wrote Vitali Kremez, chairman and CEO of Advanced Intelligence.

Cobalt Strike is a popular toolkit of “threat emulation software” that red teams can use to conduct reconnaissance, communicate with Command and Control servers and enable spearphishing attacks and post-exploitation functions during penetration tests. In this attack it is heavily used after BazarLoader and BazarBackdoor. Steps two and three in the kill chain involve the use of Mimikatz, an open source password and credential harvesting tool. Step eight involves the use of LaZagne, another open source password recovery tool. Other open source tools like Powershell and Powersploit are used, as are legal and commercial business software like AdFind, Net View and PSExec.

None of this is surprising or necessarily unique: Cobalt Strike and Mimikatz in particular are widely used in many successful attacks. Talos Intelligence calls Cobalt Strike “a prolific toolkit used at many levels of intrusion” and its use by threat actors is “ubiquitous.” Other programs like Metasploit allow even novice criminal hackers to package and automate professional-grade attacks against organizations. Security researcher Paul Litvak actually mapped out all the different threat actor groups who are using different offensive security tools in their attacks.

However, it does demonstrate how easy and cheaply (a one-year license for Cobalt Strike costs $3,500) some of them can be adopted by threat actors and packaged into a ready-made intrusion set. Some have argued that whatever value they bring to the work of internal red teams looking to improve the security posture of their organization, they have also lowered the collective bar of effort for many threat actors.

“These tools in and of themselves are not the problem. Their unrestricted availability is a problem,” wrote security researcher Andrew Thompson in a Medium post late last year. “Upon publishing these tools to the unrestricted internet, adversaries are provided crowdsourced raw capability that in totality is either enough to run their network operations program or at minimum supplement it.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.