US-CERT- AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide

[Netwörkheäd]

AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide

[html]Original release date: October 11, 2018

Summary

This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.https://www.acsc.gov.au/">[1]https://cyber.gc.ca/en/">[2]https://www.ncsc.govt.nz/">[3]https://www.ncsc.gov.uk/">[4]https://www.us-cert.gov/">[5]

In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:

1. https://www.us-cert.gov#Remote Access Trojan: JBiFrost">Remote Access Trojan: JBiFrost
2. https://www.us-cert.gov#Webshell: China Chopper">Webshell: China Chopper
3. https://www.us-cert.gov#Credential Stealer: Mimikatz">Credential Stealer: Mimikatz
4. https://www.us-cert.gov#Lateral Movement Framework: PowerShell Empire">Lateral Movement Framework: PowerShell Empire
5. https://www.us-cert.gov#C2 Obfuscation and Exfiltration: HUC Packet Transmitter">C2 Obfuscation and Exfiltration: HUC Packet Transmitter

To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.

The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.

Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.

The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution.

Experience from all our countries makes it clear that, while cyber threat actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated threat actor groups use common, publicly available tools to achieve their objectives.

Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses. Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for a threat actor to gain access. The tools detailed in this Activity Alert come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim's systems.

How to Use This Report

The tools detailed in this Activity Alert fall into five categories: Remote Access Trojans (RATs), webshells, credential stealers, lateral movement frameworks, and command and control (C2) obfuscators.

This Activity Alert provides an overview of the threat posed by each tool, along with insight into where and when it has been deployed by threat actors. Measures to aid detection and limit the effectiveness of each tool are also described.

The Activity Alert concludes with general advice for improving network defense practices.

Technical Details

Remote Access Trojan: JBiFrost