Testing the mettle: legit tools for illicit cyberespionage

Instead of writing their own malicious tools, criminals are increasingly using the off-the-shelf malware, and more and more often – totally legitimate software.

Securelist has released a thoughtful – and somewhat pessimistic – report on cybercriminals using an open source security testing tool for browsers with malicious purposes. The browser exploitation framework, also known as BeEF, a free and open pentest tool, has been used extensively during a number of various attacks including quite a few high-profile ones.

New trend: hackers go low-tech

According to Kaspersky Lab’s researchers, this is a new trend in the cyberunderground. Instead of writing their own malicious tools, criminals are increasingly using off-the-shelf malware more and more often – totally legitimate software.

BeEF? – absolutely “clean,” developed with clear and useful purpose. Here’s an excerpt from the official description:

“It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.”

The penetration testing procedure and a malicious attack are only different by their outcome and by whether the hackers are ethical or not. Technically, they are the same (or almost the same) thing. Malicious hackers are pentesters, of sorts. But an attacked business isn’t going to pay for such “services” voluntarily.

Not the first time

BeEF isn’t the first legit tool to be used maliciously; far from it.

Kaspersky Lab experts earlier observed APT actors using legitimate security and pentesting tools – Metel group and GCMan. The latter use only legitimate tools in their activities – PuTTy, VNC (check out: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/) and Meterpreter utilities.

Securelist also mentions APTs Crouching YetiTeamSpy which used both open source offensive toolkits and legitimate software to conduct their attacks.

Not to put too fine a point on it, there’s a well known Rapid7’s Metasploit product; officially legitimate, it has about 900 working exploits included, so even some script-kiddies may be able to hit any underprotected network hard.

Going back to BeEF, Kaspersky Lab’s experts say they are seeing more and more hacking groups using this tool as “an attractive and effective alternative” to malware tools.

“This fact should be taken into account by corporate security departments in order to protect the organization from this new threat vector,” says Kurt Baumgartner, principal security researcher at Kaspersky Lab.

Counteraction (don’t expect a downhill battle)

Kaspersky Lab’s GReAT team says effective prevention of attacks involving beef requires a mix of technologies, since there are a number of techniques used by the attackers. Unless turning off JavaScript isn’t an option (and in most cases, it isn’t), the combination of network and host based detection is required to fully handle more serious incidents.

There’s a Chrome browser plugin that detects the BeEF cookie, but serious players easily evade it.

Preventing the social engineering sessions for credential theft and Metasploit exploit integration makes immediate sense and can be incorporated at the network and more effectively at the host level, GReAT says.

However, battling a really determined attacker using tools like BeEF would be a difficult task, GReAT says.

There are no “silver bullets” against attacks like these, but there is a multi-layer approach to security, which is a necessity/good practice today (and ever).

And since targeted attacks are on the rise over the last few years, Kaspersky Lab has developed specialized solutions to battle them specifically. Anti-APT is one of them. Also check out Securelist’s paper “Strategies for Mitigating Advanced Persistent Threats (APTs)” to learn more about targeted attacks and mitigating them.

Tips