The U.S. Computer Emergency Readiness Team highlighted the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world.
The US-CERT report is a collaborative research effort by the cybersecurity authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.
The five tools highlighted are:
- Remote Access Trojan: JBiFrost
- Webshell: China Chopper
- Credential Stealer: Mimikatz
- Lateral Movement Framework: PowerShell Empire
- C2 Obfuscation and Exfiltration: HUC Packet Transmitter
To aid the work of network defenders and systems administrators, CERT also provides advice on limiting the effectiveness of these tools and detecting their use on a network.
The individual tools covered are limited examples of the types of tools used by threat actors and should not be considered an exhaustive list when planning network defense.
Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.
The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution.
Experience from all five countries makes it clear that, while cyber threat actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated threat actor groups use common, publicly available tools to achieve their objectives.
Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses. Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for a threat actor to gain access. The tools detailed in this Activity Alert come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim’s systems.