Metasploit Framework: A Popular Tool among Cybercriminals

Metasploit Framework (MSF) is a modular penetration testing framework designed for ethical hackers, but also misused by cybercriminals. The open-source framework was recently found being exploited for Zerologon vulnerability.

What was discovered?

In a recent attack, Metasploit’s shellcode were deployed as a payload against Docker for the first time
  • The whole malicious payload was compressed into a small file size encoded with Base64.
  • A proof-of-concept exploit was created to show that the MSF can be used to develop an exploit module. The exploit mode was successfully tested with SharePoint 2019 (CVE-2020-16952) on Windows Server 2016.

Recent activities and reports

  • Last month, Cisco released a report revealing that dual-use tools, such as Metasploit, PowerShell, CobaltStrike, and Powersploit, are being actively used by attackers to target corporate endpoints. They stand as the second-most used attack-vector, after fileless malware.
  • The same month, three Iranian hackers were charged for breaching U.S. satellite companies. They used tools such as Metasploit, Mimikatz, NanoCore, and a generic Python backdoor.

Why do cybercriminals like it?

  • The framework has a significant advantage of combining any exploit with any payload, a convenient feature for a cybercriminal.
  • In addition to this, it supports multiple platforms from Unix to Linux, Mac OS X, and Windows.

Ease of learning and use

The framework is easy to learn as several free and cheap resources are available on the internet. The official website offers detailed documentation, and its YouTube channel provides videos. It’s a big disadvantage of dual-use tools, where cybercriminals use such tools for their malicious purposes.

Conclusion

Many cybercriminals frequently use the framework due to the several advantages it gives to them. Thus, experts recommend applying whitelisting for file execution, group policies to provide temporary access for dual-use tools, and regularly monitoring network connections to stay protected.