Is your pentesting provider moonlighting as a malicious cybercrime group?

Investigation finds the line between the two is blurrier than you think – and data is being exposed

Formal and regular penetration testing has become a must-have in the pantheon of security best-practice – but how do you know your pen-testing company isn’t moonlighting as a hacking group, or using its services as a pretext to compromise your network?

What should be a clear distinction is anything but, according to a new BlackBerry Cylance report that found common penetration-testing tools are being leveraged as advanced persistent threat (APT) vectors by a range of cybercriminal groups – some of which run parallel operations as purportedly legitimate penetration-testing providers.

Investigations by the firm, documented in the Thin Red Line report, explored the practices of more than two dozen pentesting companies and found that they were increasingly becoming operationally similar to APT groups.

“As pentesters have adopted the tactics, techniques and procedures of real threat actors, they, like those APT groups, have also created a massive trove of forensic byproducts – including infrastructure, phishing lures, malware – artifacts that are preserved in perpetuity in a host of widely used, semi-public repositories.”

One Brazilian pen-testing group – which had opened offices in a number of other countries and whose leaders were frequently cited in the press – was a front for the Poseidon APT group, a notorious team of cybercriminals that were exfiltrating data from clients and often installing back-doors on their systems.

The BlackBerry Cylance team found over 200MB worth of sensitive information about one client, a national air-traffic control organisation, hosted “in plain view in a large malware repository”.

The find raised questions about why the data had been taken and how it ended up available to tens of thousands of people. And its conclusions would be concerning to any organisation that has engaged professional-services firms to conduct penetration testing.

“In this case, the line between APT group and pentester was so thin it was difficult to ascertain which persona represented the group’s true identity,” the report’s authors note.

Other investigations had found data from healthcare organisations, financial institutions, technology companies, state and local governments, retailers, and US federal government agencies – all of which was published online after being stolen using malware, phishing lures, and command-and-control (C2) infrastructure created by pentesters to help in their work.

The appropriation of pentesting tools for malicious cybercriminal activity had further muddied the view of the industry, with the very things that define good penetration tools – efficacy and undetectability – being the same attributes that make APT attacks such a problem.

“Nearly every open-source pentesting tool, and even a large portion of the paid one, have been repurposed by malicious actors,” the report said – noting commonality between pentesting toolkits and APT suites.

This security-tools miscegenation had seen pentesting teams utilising APT tools like the Mimikatz credential stealer while APT teams were adopting pentesting tools like the PowerShell Empire, PowerSploit and Cobalt Strike lateral-movement tools.

Many of these tools enable the creation of backdoor access to networks, which the report warned may well be left behind – and potentially exploited – long after the legitimate pentesting engagement has concluded.

Some organisations had lost time and resources chasing pentesters that were confused for malicious actors: “time, money, and personnel allotted to chase what turns out to be a pentester is wasteful and distracts valuable resources away from the real work of threat hunting and incident response,” the report notes.

Testing times

Even where pentesting firms are legitimate, the investigations raised “new and disturbing questions” about their compliance with clients’ privacy expectations and legally-obligated protections like the European Union’s general data protection regulation (GDPR).

Given that many organisations are conducting pentesting specifically to demonstrate their compliance with security frameworks like PCI DSS and ISO27001 – and that identified shortcomings can become significantly problematic – it goes without saying that contracted firms need to be held to high standards of data privacy and protection.

Customers need to ensure that pentesting is being done as a human-driven activity and not just an automated vulnerability scan. This not only promises a more thorough test with more complex penetration attempts, but also allows clients to benefit from their security experts’ ever-growing understanding of new attack methods and vulnerabilities.

Australia’s penetration-testing industry has long worked to improve its professionalism through the oversight of groups like CREST, SANS Institute and Offensive Security, with pentesting firms like Shearwater highlighting relevant qualifications that attest to their skills and integrity.

As with any mission-critical corporate function, caution and risk management remain crucial. Yet while investigations into a potential service provider may turn up important details, the BlackBerry Cylance report said its investigation should give every company pause for thought.

“The primary goal of penetration testing is to help clients reduce their risk,” the report concluded. “Our study sheds light on a discipline where a lack of universally accepted standards allows a range of common practices that may be inadvertently introducing a host of hidden risks that could adversely impact the values, including client privacy and security, [that] pentesting was intended to protect.”