Cybercriminals are using security tools to facilitate attacks

[mood]

Cybercriminals are using security tools to facilitate attacks

Cobalt Strike and Metasploit have been used to host C&C servers.

 

(Image credit: Pixabay.com)

 

Some of the world’s most popular penetration testing tools have been compromised and used to host malware, as well as command and control (C&C) servers, experts are saying.

 

A new report from threat intelligence firm Recorded Future claims that two tools used to simulate an attacker’s action, Cobalt Strike and Metasploit, have been used for hosting malware C&C servers, the goal of which is to control compromised devices or accept stolen data.

 

While using open-source software to conduct attacks is nothing new, offensive security tools (or red-team tools) such as these are generally considered among the most complex. Recorded Future believes that these malware operations were the work of either state-sponsored attackers, or financially-motivated groups (or both).

 

As per a ZDNet report, more than a quarter of all malware C&C servers deployed last year were hosted using these two tools, with Cobalt Strike responsible for 13.5 percent and Metasploit 10.5 percent.

 

According to the report, more than 10,000 malware C&C servers and 80 malware strains were discovered last year. On average, these servers live for 54.8 days and a third were hosted in the US.

 

Over the next year, Recorded Future expects criminals to further adopt popular open-source tools, naming Covenant, Octopus C2, Sliver, and Mythic as potential candidates.

 

 

Source: Cybercriminals are using security tools to facilitate attacks

[mood]

Malicious Software Infrastructure Easier to Get and Deploy Than Ever

 

 

Researchers at Recorded Future report a rise in cracked Cobalt Strike and other open-source adversarial tools with easy-to-use interfaces.

 

Simple to use and deploy offensive security tools, making it easier than ever for criminals with little technical know-how to get in on cybercrime are seeing a significant rise, researchers say.

 

Recorded Future just released findings from its regular year-end observations of malicious infrastructure, identifying more than 10,000 unique command and control (C2) servers, across 80 malware families — nearly all linked to advanced persistent threat (APT) groups or “high-end financial actors.”

 

Recorded Future’s 2020 Adversary Infrastructure Report explained that researchers anticipate increased adoption of open-source tools because they’re easy to use and accessible to criminals without deep technical expertise.

“Over the next year, Recorded Future expects further adoption of open-source tools that have recently gained popularity, specifically Covenant, Octopus C2, Sliver and Mythic,” the report said. “Three of these tools have graphical user interfaces, making them easier to use for less experienced operators and all four have verbose documentation on their uses.”

Open Source and Cobalt Strike Dominate

Researchers go on to explain that since the Cobalt Strike source code leaked last November on GitHub, it has increased in use, and that cracked or trial versions were largely being used by notable APTs including APT41, Mustang Panda, Ocean Lotus and FIN7. Cobalt Strike was also was linked to the highest number of observed C2 servers last year, the report said.

 

Cobalt Strike is a penetration-testing tool, which is commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it simulates an attack. Threat actors have since figured out how to turn it against networks to exfiltrate data, deliver malware and create fake C2 profiles which look legit and avoid detection.

 

Cobalt Strike was used with 1,441 observed C2 servers in 2020, according to Recorded Future, followed by Metasploit with 1,122 and PupyRat with 454.

“The most commonly observed families were dominated by open-source or commercially available tooling,” the report said. “Detections of unaltered Cobalt Strike deployments (the pre-configured TLS certificate, Team Server administration port, or telltale HTTP headers) represented 13.5 percent of the total C2 servers identified. Metasploit and PupyRAT represented the other top open-source command-and-control servers identified by Recorded Future.”

Links to APTs

The report added that nearly every observed offensive security tool (OST), including Cobalt Strike and others, can be traced back to attacks from APT actors.

“Nearly all of the OSTs detected by Recorded Future have been linked to APT or high-end financial actors,” the report said. “The ease of access and use of these tools, mixed with the murkiness of potential attribution, makes them appealing for unauthorized intrusions and red teams alike.”

 

The APT threat landscape overall has gotten more complex over the past year, according to Kaspersky’s 2020 APT trends report thanks to widespread innovation across APT groups with varying tactics, techniques and procedures (TTPs).

 

Once researchers were able to identify the C2 servers, they traced those back to 576 different hosting providers. Amazon hosted the most with 471, or about 3.8 percent. Fellow U.S.-based host Digital Ocean came in second on the list with 421. The report explained that’s not necessarily a red flag.

“The deployment of Cobalt Strike and Metasploit controllers on these providers is not indicative of malpractice or negligent hosting but is more likely due to authorized red teams using these tools on cloud infrastructure,” the report said.

 

Recorded Future explained the point of this ongoing malicious infrastructure audit is to help security teams identify actors as they’re setting up, rather than waiting for them to get up and running and able to strike. The report found teams have what amounts to about a 61-day lead time from when a C2 server is created to when it’s detectable. The report adds the average time these servers host malicious infrastructure is 54.8 days.

 

But detection before malicious infrastructure can be used creates an opportunity to stop threat actors before they can cause damage, according to Recorded Future.

“Before a server can be used by a threat actor, it has to be acquired, either via compromise or legitimate purchase,” Recorded Future explained. “Then, the software must be installed, configurations must be tuned and files added to the server. The actors must access it via panel login, SSH or RDP protocols, and then expose the malware controller on a port to allow the data to transfer from the victim and to administer commands to infections. Only then can the server be used for malicious purposes.”

 

 

Source: Malicious Software Infrastructure Easier to Get and Deploy Than Ever