Home STAY CURRENTArticles How Cybercriminals Have Misused the Top Penetration Testing Toolkits

How Cybercriminals Have Misused the Top Penetration Testing Toolkits

by CISOCONNECT Bureau

Cybercriminals have been recently using open source security tools for cybercrime operations. Read on to know more about it…

Malware authors have been widely adopting open source security tools for cybercrime operations. Recently, Recorded Future released a report on the use of malicious C&C infrastructure throughout 2020 by tracking more than 10,000 C&C servers across more than 80 malware strains.

Key Findings
Penetration testing tools, also known as offensive security tools, and red teaming tools, have also found their way in the attackers’ toolkits in recent years, the report found.

Penetration testing toolkits namely Cobalt Strike which used with 13.5% of all 2020 C&C servers and Metasploit used with 10.5% of all 2020 C&C servers have become the two most widely used technologies for hosting C&C servers. While Cobalt Strike accounted for 1,441 of the C&C servers, Metasploit followed close behind with 1,122. Together, the two were found in 25% of the total C&C servers. Furthermore, the group also noticed the adoption of lesser-known open source tools such as Octopus C2, Mythic, and Covenant.

PupyRAT has been the third most used popular C&C server due to its open-sourced codebase on GitHub (since 2018). Several state-sponsored, financially-motivated hacking groups, as well as other hacking groups infected these servers. Several U.S.-based reputable hosting providers such as Amazon, Digital Ocean, and Choopa had the most command and control servers on their infrastructure.

Outlining the reasons for their popularity, the researchers note that these tools have graphical user interfaces, and are thoroughly documented, which makes them easier to use, even by relatively inexperienced attackers. That said, several of the groups who abused these tools were state-sponsored bad actors, according to the researchers, and were engaged in espionage operations.

The researcher’s report also contains several other interesting findings. For instance, the top four hosting providers with the most number of C&C servers in their infrastructure, namely Amazon, Digital Ocean, Choopa, and Zenlayer, were all based in the U.S.

Some More Attacking Tools
Recently, the Muddywater APT group used a GitHub-hosted malicious PowerShell script to decode an embedded Cobalt Strike script to target Windows systems. Palo Alto researchers had found that the SolarStorm campaign had links to Cobalt Strike payload that was generated using Cobalt Strike 4.0, which was built in December 2019. Sophos researchers had observed the use of SystemBC RAT, in combination with post-exploitation tools, including Cobalt Strike.

Conclusion
Malware authors have been proactively using open-source security tools due to their common use and legitimacy across organizations. Hackers can repurpose these tools to deploy different types of payloads, such as ransomware or keylogger, on compromised networks. Enterprises are recommended to employ detection-in-depth for common open-source toolkits via correlation searches for SIEMs for suspicious behaviors, YARA for suspicious file contents, and SNORT for suspicious or malicious network traffic.

Recommended for You

Recommended for You

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Close Read More

See Ads