Worldwide Cybersecurity Alert: Governments Issue Warning on 5 Specific Attack Tools

Publicly available hacking tools are being used so often in cyber attacks this year that five governments issued an extremely rare joint cyber alert.

US-CERT joined with cybersecurity authorities in Australia, Canada, New Zealand, and the United Kingdom—the intelligence partnership known as Five Eyes—to tell the world about what is happening.

Publicly available hacking tool #1:

Remote Access Trojan (RAT), JBiFrost

"Since early 2018, we have observed an increase in JBiFrost RAT being used in targeted attacks against critical national infrastructure owners and their supply chain operators. There has also been an increase in the RAT’s hosting on infrastructure located in our countries."

Some possible indications of a JBiFrost RAT infection can include, but are not limited to:

• Inability to restart the computer in safe mode
• Inability to open the Windows Registry Editor or Task Manager
• Significant increase in disk activity and/or network traffic
• Connection attempts to known malicious IP addresses
• Creation of new files and directories with obfuscated or random names

Publicly available hacking tool #2:

Webshell, China Chopper

China Chopper is a publicly available, well-documented webshell.

According to the cybersecurity alert:

"China Chopper is extensively used by threat actors to remotely access compromised web servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device.

As China Chopper is just 4 KB in size and has an easily modifiable payload, detection and mitigation are difficult for network defenders.

 In summer 2018, threat actors were observed targeting public-facing web servers that were vulnerable to CVE-2017-3066. The activity was related to a vulnerability in the web application development platform Adobe ColdFusion, which enabled remote code execution."

Publicly available hacking tool #3: 

Credential stealer, Mimikatz

The US-CERT and international cybersecurity alert says:

"Mimikatz is mainly used by attackers to collect the credentials of other users, who are logged into a targeted Windows machine. It does this by accessing the credentials in memory within a Windows process called Local Security Authority Subsystem Service (LSASS).

More recently, Mimikatz was used in conjunction with other malicious tools—in the NotPetya and BadRabbit ransomware attacks in 2017 to extract administrator credentials held on thousands of computers. These credentials were used to facilitate lateral movement and enabled the ransomware to propagate throughout networks, encrypting the hard drives of numerous systems where these credentials were valid.

In addition, a Microsoft research team identified use of Mimikatz during a sophisticated cyberattack targeting several high-profile technology and financial organizations. In combination with several other tools and exploited vulnerabilities, Mimikatz was used to dump and likely reuse system hashes."

Publicly available hacking tool #4: 

Lateral Framework Movement, PowerShell Empire

The cyber alert puts it like this:

"PowerShell Empire has become increasingly popular among hostile state actors and organized criminals. 

During an incident in February 2018, a UK energy sector company was compromised by an unknown threat actor. This compromise was detected through PowerShell Empire beaconing activity using the tool’s default profile settings. Weak credentials on one of the victim’s administrator accounts are believed to have provided the threat actor with initial access to the network.

In early 2018, an unknown threat actor used Winter Olympics-themed socially engineered emails and malicious attachments in a spear-phishing campaign targeting several South Korean organizations. This attack had an additional layer of sophistication, making use of Invoke-PSImage, a stenographic tool that will encode any PowerShell script into an image.

In December 2017, APT19 targeted a multinational law firm with a phishing campaign. APT19 used obfuscated PowerShell macros embedded within Microsoft Word documents generated by PowerShell Empire.

Our cybersecurity authorities are also aware of PowerShell Empire being used to target academia. In one reported instance, a threat actor attempted to use PowerShell Empire to gain persistence using a Windows Management Instrumentation event consumer. However, in this instance, the PowerShell Empire agent was unsuccessful in establishing network connections due to the HTTP connections being blocked by a local security appliance."

Publicly available hacking tool #5:

C2 obfuscation and exfiltration, HUC Packet Transmitter

"Attackers will often want to disguise their location when compromising a target. To do this, they may use generic privacy tools (e.g., Tor) or more specific tools to obfuscate their location.

HUC Packet Transmitter (HTran) is a proxy tool used to intercept and redirect Transmission Control Protocol (TCP) connections from the local host to a remote host. This makes it possible to obfuscate an attacker’s communications with victim networks. The tool has been freely available on the internet since at least 2009.

Recent investigations by our cybersecurity authorities have identified the use of HTran to maintain and obfuscate remote access to targeted environments.

In one incident, the threat actor compromised externally-facing web servers running outdated and vulnerable web applications. This access enabled the upload of webshells, which were then used to deploy other tools, including HTran.

HTran was installed into the ProgramData directory and other deployed tools were used to reconfigure the server to accept Remote Desktop Protocol (RDP) communications."

The multinational cybersecurity alert also includes high-level details on detection, protection, and mitigation of these widespread cyber threat methods. 

Why did 5 nations issue a joint cybersecurity alert?

Why did the countries report these specific tools when there are so many different attack vectors in the wild? Here is the answer:

"The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution."

The National Cybersecurity and Communications Integration Center (NCCIC) also asks you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the NCCIC/US-CERT homepage at http://www.us-cert.gov/