Back to basics: The common tools, techniques and procedures cyber attackers are using

By Anthony Chadd, International Security Senior Director, Neustar

Credit: ID 54791170 © Stanislav Kozhukov | Dreamstime.com

In today’s digital world, cyber attackers are continually developing their capabilities and techniques, using various methods to achieve their malicious intent. However, this does not mean they are abandoning the basic tools, techniques and procedures when orchestrating a cyber-attack. In fact, experienced groups will leverage publicly available tools to take advantage of basic security flaws.

A report by the Australian Cyber Security Centre entitled Joint report on publicly available hacking tools revealed the effectiveness of tools commonly used by malicious actors concluding the tools utilised fell into five categories: Remote Access Tools, Web Shells – China Chopper, Credential Stealers - Mimikatz, Lateral Movement Frameworks – PowerShell Empire, and Command and Control Obfuscators - HTran.

These tools provide a wide range of functions and are freely available for use by everyone from highly skilled criminals through to amateur hackers. 

The five main basic tools cyber attackers are using

Exploring these five publicity basic tools in further detail offers additional insight into the techniques cyber attackers are using whilst proving an aid into detection and mitigation.

Remote Access Tools

A remote access tool (RAT) is a program which allows remote administrative control. Once installed it allows a malicious perpetrator the ability to control, upload and download files, make program requests, and/or record a user’s screen.

Rebranded to JBIFrost RAT in 2016, it is primarily delivered through emails as an attachment such as an invoice, quotation request, shipment notice or payment notice. Once opened information from intellectual property to banking information can be easily extracted.

The capabilities of RAT means machines that are affected can be used as botnets to carry out Distributed Denial of Service (DDoS) attacks. One such example of RAT revealed spoof emails designed to look like original emails compromised servers and delivered malicious RAT to victims to exploit valuable data.

In order to mitigate RAT tools, organisations need to ensure their network has up-to-date antivirus, establish a system of tools that can create a guideline of normal behaviour and continually monitor behaviour, and hunt for suspicious activity.

Web Shells - China Chopper

Web shells are well-documented and have been publicly available for a number of years.These malicious scripts are uploaded to a network after an initial compromise from remote access tools.

The capabilities of the China Chopper web shell range from uploading and downloading files to executing commands and timestomping.

Depending on size, approximately 4KB in the case of China Chopper, web shells are easily adjustable which makes detection and mitigation difficult. It’s therefore important to ensure external servers are up to date and all software is up-to-date with the latest security tools to prevent an initial compromise.

Credential Stealers – Mimikatz

Developed in 2017, Mimikatz have been widely adopted amongst organised crime and state-sponsored groups as a tool used to obtain credentials from memory. Not initially intended to be a hacking tool, Mimikatz have emerged as a common one to find credentials and enable an unlawful perpetrator to escalate privileges within a domain and perform other malicious tasks.

Mimikatz has the capability to significantly undermine a poorly configured security service by accessing credentials from users who are logged into a targeted machine by accessing them in moment within the Local Security Authority Subsystem Service (LSASS) system process.

As Mimikatz source code is publicly available, cyber criminals can create their own versions which can be further developed and collected. It can be difficult to identify, however, once it doesthere are number of steps such as disabling the storage of clear text passwords in LASAA memory, having systems patched up to date and undertaking a full and rigorous investigation of your network can help protect against a Mimikatz attack.

Lateral Movement Frameworks – PowerShell Empire

The PowerShell Empire tool provides the ability for a perpetrator to exploit information in a number of various ways, once they have gained initial access to a system. Acting as a framework for exploitation, it can be used to generate malicious documents, escalate privileges, extract information and move within a network. The combination of the unique empire framework and wide range of skills and intent within the Empire user community makes Empire a popular tool for those in organised crime.

Empire can be difficult to detect due to it being built on a common legitimate application, its usability, flexibility and customisable range are all attractive features for criminals. Utilising Empire allows a perpetrator to use modules to perform specific malicious actions including extended privileges granted within a network, credential harvesting, host enumeration, key and the ability to move laterally across a network.

Empire has been previously been identified during an incident earlier this year, involving a UK energy sector company. During this time, an unknown criminal compromised already weak credentials on the victim’s administrator account providing easy access to the network.

Command and Control Obfuscators - HTran

HUC Packet Transmitter (HTran) has been freely available since 2009 and is designed to confuse and complicate communication between the perpetrator and victim’s network. Cyber attackers often use this technique to retransmit network traffic to different hosts or ports and can be implemented to allow perpetrators to redirect their packets through other compromised networks also running HTran facilitating greater access to hosts in a network.

HTran has the capability to run in several different modes including server (listen) used to listen on a local port and retransmit traffic, Proxy (tran) used to listen on a local port and retransmit data and finally Client (slave) used to connect to an IP address and retransmit data.

Employing a combination of mitigation techniques such as network segmentation and host/network firewalls can help to prevent and limit the effectiveness of HTran.

A general word of advice

Whatever the objective of a perpetrator, initial compromises of a network are often established through pre-existent security weaknesses. This makes it even more important that organisations enhance the security backbone of their network in a general sense to prevent and reduce the overall effectiveness of a wide range of cyber-attacks, including the basic tools mentioned above.

Tags powershellneustarCyber attackers

Show Comments