Script Kiddies and APT Groups Now Using the Same Malware

You no longer have to be an expert coder to become an expert hacker. Powerful malware, coded by third parties, is now available — for free in some cases — if you know where to look. With the help of a few online tutorials, you can get up and running with this malware in just an hour or two. If you are comfortable enough with technology to use a spreadsheet, you’ll have no trouble at all infecting computers.

For many years, there was a marked gap in ability between “script kiddies” — low-skill hacking amateurs who use simple scripting tools to attack websites — and the upper echelons of hackers. The whitehat version of these hackers populate the ranks of intelligence agencies and security companies, while the black hats turn their expertise to organized crime and cyberespionage. Now, however, these attackers are all using the same tools. How can companies defend themselves against this new development in the ongoing cyber-arms race?

What Kind of Malware Do You Need to Look Out For?

There are two general categories of freely available malware that may end up pointed at your network:

Repurposed Penetration Testing Tools

Penetration testing tools—such as nmap, Metasploit, and Mimikatz—are typically used for legitimate purposes. They help information security professionals understand where vulnerabilities lie in an enterprise network, giving them a roadmap towards solving those issues. Unfortunately, a penetration testing tool in the wrong hands can easily become part of an attacker’s toolkit. Attackers can easily pick up and use (again, at no cost) a copy of Kali Linux, which bundles all of the tools above into a single package, and then use it for malicious purposes.

One recent example of this kind of attack involves the misuse of a penetration testing tool called Cobalt Strike. This tool is what’s known as a post-exploitation agent—it’s designed to simulate an advanced persistent threat (APT) that lurks quietly on a compromised network, drops a selection of malware, and then exfiltrates data slowly over a period of months. Unfortunately, a tool designed to mimic an APT can also be used exactly like an APT—and a team of hackers did exactly that, using it to drop Sodinokibi ransomware on large companies in the service, food, and healthcare sectors.

In a separate incident, attackers used Cobalt Strike for an even more sinister purpose—targeting military networks and government servers in Southeast Asia by dropping remote access trojans, which would allow attackers full access to sensitive systems. Because Cobalt Strike and tools like it are so advanced, even spy agencies and organized criminals buy them off the rack in order to save the effort of developing an equally effective tool from scratch.

Leftovers from Successful Attacks

You probably remember the WannaCry and NotPetya ransomware worms, both of which were based on an exploit kit known as EternalBlue. What you may not know is that attackers are still using versions of EternalBlue:

o In Japan, China, and other Asian countries, a malware variant used EternalBlue and Mimikatz to spread cryptomining malware.

o A botnet known as Kingminer is using the EternalBlue exploit to spread into unpatched Windows operating systems. Topically, the source code contains references to the novel coronavirus pandemic.

o EternalBlue also formed part of the mechanism for a ransomware-as-a-service offering known as Yatron. Although the malware was initially dropped via a tool known as Hidden Tear, the malware contains an EternalBlue module that’s supposed to let it spread laterally through networks. (Fortunately, the EternalBlue module was left unfinished.)

EternalBlue is far from the only example of an exploit that has evolved past its original debut. You may remember the Mirai botnet that crashed the Dyn DNS system and brought down the internet in vast areas of Europe and North America back in 2016. Although Mirai was the largest DDoS attack in history, it has since been surpassed several times—often by botnets building on the original Mirai source code. The creator of one such botnet, known as Satori, was recently sentenced to 13 months in prison.

These two kinds of malware can combine in interesting ways. Yatron, for example, uses EternalBlue as we’ve mentioned. We also mentioned that it was based on a kind of ransomware known as Hidden Tear—which is also a repurposed penetration testing tool. Hidden Tear was an open-source project designed to make a ransomware sample freely available to security researchers and infosec professionals. Instead, attackers took Hidden Tear and ran with it, refining the original source code into an incredibly powerful tool.

Protecting Yourself from Off-the-Shelf Malware

The fact that attackers are using off-the-shelf malware gives you one small but important advantage—you can know your enemy. If you suspect that attackers will use tools like Metasploit and Cobalt Strike to attack your systems, you have the opportunity to download these tools, inspect them for yourself, and harden your systems against them.

On the other hand, attackers have a vast selection of tools to choose from—both pen-testing tools and repurposed malware from existing campaigns. You on the other hand may only be one person, and you may not have time to cover all your bases. In this case, you need to take a broad-spectrum approach to defense.

You need to proceed with the assumption that, due to the power and diversity of the malware arrayed against you, the only blanket defense is to make sure that attackers can never interact with your network. Zero-trust tools such as Remote Browser Isolation, which renders websites in a virtual browser located in a secure cloud-based container, and streams only safe, interactive rendering information to their desktop browser, essentially prevents all malware from reaching the endpoint. Any malware that was on the websites remains in the container, remote from the desktop. And when the container is destroyed at the end of the session, the malware is destroyed as well. Other Zero Trust tools such as software-defined perimeters can literally hide your network, along with any open ports, from being visible from the public internet.

With both novice and experienced hackers using the same, highly effective tools, the only way to achieve true security is to prevent them from obtaining the faintest toehold. Rather than a catch-up defense strategy of developing ways to protect against each individual tool, the smart choice is to leverage a solution that blocks every potential intrusion enabler as aggressively and proactively as you possibly can.

Author Bio

Mendy Newman is the Group CTO, APAC and ROW at Ericom Software. Mendy’s team focuses on delivering implementation and architecture solutions to our customers worldwide.

Leave a Reply