UK.gov teams up with Five Eyes chums to emit spotters' guide for miscreants' hack tools

Crouching tiger, hidden APT


The UK's National Cyber Security Centre and its western intel pals have today put out a report spotlighting the most commonly wielded hacking utilities.

The study sets out five categories of publicly available hacking tools used by crims, spies and hacktivists worldwide. The list won't come as too much of a surprise to penetration testers but is nonetheless valuable for its intended audience of enterprise security defenders.

The intel is designed to give enterprises a better awareness of what they're up against so they are better positioned to prepare defences.

The dossier (PDF) offers a "snapshot, rather than a compendium" of tools miscreants are likely to throw at targeted networks, with the malign utilities helpfully organised by the order in which the baddies are likely to deploy them.

  1. Remote Access Trojans (RATs): Stealthy programs for planting backdoors or exfiltrating data
  2. Web Shells: Malicious scripts planted on web servers to give remote admin control
  3. Mimikatz: Hoovers up memory-resident passwords and other credentials
  4. Tools for lateral movement in already compromised networks such as popular penetration-testing kits
  5. PowerShell Empire: This framework allows hackers to break into more sensitive machines after they have gained a toe-hold on compromised networks
  6. Command and control obfuscation and exfiltration tools: Utilities used to disguise a hacker's location

Often these tools are not inherently malicious and might be legitimately used by pen-testers to find vulnerabilities, but they can nonetheless be abused to hack into networks, execute commands and steal data. The NCSC acknowledged that dual use can make detection of these tools more difficult.

"Many... are used in conjunction with each other, presenting a formidable challenge for the network defender," GCHQ's cyber assurance arm said. "The NCSC and our partners have seen them used in incidents led by hostile state actors and criminals of widely varying capability."

The NCSC said simple steps could go a long way towards thwarting potential attacks. Key defences include multi-factor authentication, network segmentation, security monitoring and patching. All this fits in with NCSC's core security advice guidelines.

The list is the fruit of research efforts by GCHQ and its closest western intel partners in Australia, Canada, New Zealand, and the US 1.

The study "provides network defenders with an insight into some of the incidents that we and our partners are managing, highlighting the tools' capability and examples of use, plus detection and mitigation advice – all linked into published NCSC guidance".

The cybersecurity agency said it welcomed feedback from industry and academics about the study and how to build better defences more generally. ®

Bootnote

1 The US Department of Homeland Security, Canadian Centre for Cyber Security, Australian Centre for Cyber Security, New Zealand National Cyber Security Centre and CERT New Zealand. These are all the assurance (defence) arms of government agencies covered by the Five Eyes alliance.

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • Cops' Killer Bee stings credential-stealing scammer
    Fraudster and two alleged accomplices nabbed in joint op

    An Interpol-led operation code-named Killer Bee has led to the arrest and conviction of a Nigerian man who was said to have used a remote access trojan (RAT) to reroute financial transactions and steal corporate credentials. Two suspected accomplices were also nabbed.

    The trio, aged between 31 and 38, were detained as part of a sting operation involving law enforcement agencies across 11 countries: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nigeria, Philippines, Singapore, Thailand, and Vietnam. 

    The suspects were arrested in the Lagos suburb of Ajegunle and in Benin City, Nigeria. At the time of their arrests, all three men were in possession of fake documents, including fraudulent invoices and forged official letters, it is claimed.

    Continue reading
  • FBI, CISA: Don't get caught in Karakurt's extortion web
    Is this gang some sort of Conti side hustle? The answer may be yes

    The Feds have warned organizations about a lesser-known extortion gang Karakurt, which demands ransoms as high as $13 million and, some cybersecurity folks say, may be linked to the notorious Conti crew.

    In a joint advisory [PDF] this week, the FBI, CISA and US Treasury Department outlined technical details about how Karakurt operates, along with actions to take, indicators of compromise, and sample ransom notes. Here's a snippet:

    Continue reading

Biting the hand that feeds IT © 1998–2022