Posted on October 13, 2020 at 1:09 PM
The cyber community is constantly facing the biggest threats from malware and cyber attacks, with millions of dollars lost monthly to attacks. Malware threat actors are using a variety of tools to exploit vulnerable systems and gain access.
A recent report has revealed that some threat actors are now using open-source offensive hacking tools to exploit systems and networks.
The tools, commonly referred to as OST in the cyber-security field, are libraries, exploits, and software apps that can be used for offensive hacking activity and are either released under open source licenses or as a free download.
They are generally released to offer proof-of-concept exploits for a new vulnerability. Sometimes, they are employed as penetration testing utilities or to show a new hacking technique.
But some bad actors can find ways to use the tools and try to hack into systems, as reported recently.
Today, discussion about OST tools is one of the most controversial ones as some fractions are against their release while other fractions see their benefits.
Those who are in favor of such tools argue that they can enable organizations and cybersecurity experts to prepare networks and systems for future attacks.
On the other hand, those who are against OST tools said the tools help hackers spend lesser to develop their tools, which encourage them to hide their activities in a cloud of tests and legitimate pen-tests.
They argued that if attackers could reduce their operational costs and leverage on the OST tools, it will lead to more attacks in the future.
Setting the rules for OST usage
For over ten years, the cybersecurity community has not come to a truce regarding the release of OST tools. But most of their arguments have been based on convictions and personal experiences, and not on actual raw data.
However, a security researcher at cyber security firm Intezer Labs Paul Litvak has tried to address this issue by getting some facts about the true nature of the OST tools.
He gathered data on 129 open source hacking tools and looked at several cyber security reports and malware samples. The research aimed to find out how many hacking groups have adopted OST tools for their hacking activities.
He compiled the list, which included elite financial crime groups, low-level malware gangs, as well as nation-state sponsored APIs.
Popular state-backed groups also adopt OST tools
Litvak discovered that OSTs are widely adopted by threat actors across the cybercrime ecosystem, including popular state-backed cybercrime threat actors such as TrickBot and DarkHotel. Many of the groups used libraries or tools that have been first used by cyber security firms, and they are now used for cybercrime frequently.
Litvak said his research team discovered that RAT tools and memory injection libraries are two of the most commonly used projects in the cybercrime ecosystem.
“We found [that] the most commonly adopted projects were memory injection libraries and RAT tools,” he said.
Other projects with massive use include Quasar, Powersploit, as well as Empire. But to no one’s surprise, the lateral movement group was dominated by Mimikatz.
However, while the Win7Elevate was dominated by Asian hacking groups, the UACME library dominated the UAC bypass library. Asia’s domination of Win7Elevate is due to the larger regional installbase of Windows 7.
Litvak thinks many other hackers still fancy the tools provided at the black-hats forum because of their superior features. So, some other malware gangs are adopting such tools instead of the offensive tools released by the cyber security community.
Mitigating wide OST abuse
Litvak observed that OST tools with more complex features are more difficult to convert and use by threat actors. According to him, it will require a deeper level of understanding for any hacker to use, which clearly defeats its benefits for hackers.
Litvak has advised that hackers should use a more technical approach when developing or designing an OST tool. They should plant complexity into the code
Ways to mitigate broad OST abuse to make them more complex for hackers to adopt. If they can’t add more complex features, Litvak said they should make the code a bit more unique to dissuade hackers.