NCCIC issues alert on global cyber attacks targeting ‘publicly available tools’

• The tools listed in this Activity Alert have been widely used around the world in multiple incidents.
• Details such as tool capabilities, recent example incidents, detection strategies, prevention strategies, and mitigation's are listed in the Alert.

The National Cybersecurity and Communications Integration Centre (NCCIC), a key department of U.S Department of Homeland Security’s cybersecurity and communications wing, released an alert. The warning suggested a widespread threat about global malicious cyber attacks based on ‘publicly available tools’.

The warning also provided an overview and capabilities of the tools allowing users to defend against potential threats that could target their network using these tools. The tools listed in the Activity Alert have been used worldwide to compromise information across a wide range of critical sectors, including health, finance, government, and defense, said the alert.

The joint Activity Alert is an extensive research created in collaboration with the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre, and the United Kingdom National Cyber Security Centre.

The Activity Alert focuses on the technical details of below mentioned five publicly available tools, which have been used for malicious purposes in recent cyber attacks from around the world.

Remote Access Trojan: JBiFrost

JBiFrost RAT is a variant of Admind RAT, which has code terminology similar to the Frutas RAT discovered in 2012. This Java-based, cross-functional and multifunctional toolkit could be easily employed by cybercriminals and low-skilled threat actors. The toolkit also possesses capabilities that could easily be adapted by a state-sponsored threat actor, according to the Alert.

Webshell: China Chopper

China Chopper is a malicious web shell program used by cybercriminals since 2012. The malware is just 4KB in size, making it stealthy and difficult to remove from a compromised host. However, the web shell attempts to take administrative capabilities of a host after a successful compromise.

Credential Stealer: Mimikatz

Mimikatz is an extensive credential stealer malware used by cybercriminals to steal credential of other users from various websites and by accessing the Windows process called Local Security Authority Service (LSASS). “Mimikatz source code is publicly available, which means anyone can compile their own versions of the new tool and potentially develop new Mimikatz custom plug-ins and additional functionality,” read the Alert.

Lateral Movement Framework: PowerShell Empire

PowerShell Empire can be used by attackers to generate malicious document and executable for launching social-engineering attacks. It could also allow the attacker to move around the network once it is compromised. According to the Alert, “PowerShell Empire has become increasingly popular among hostile state actors and organized criminals.”

C2 Obfuscation and Exfiltration: HUC Packet Transmitter

HUC is an open-source tool, available on the internet since 2009. Hackers use HTran as a proxy tool to intercept and redirect Transmissions Control Protocol (TCP) connections. This allows the hackers to duplicate an attacker’s communication with a victim.

The Alert also detailed recent event and examples related to each tool for the benefit of defenders. As most of them are well-documented and established toolkits detection and prevention strategies are also detailed with the Alert. However, from the knowledge of other countries, it is highly possible that threat actors will continue to develop the capabilities of these tools and exploitation techniques. Hence, an organization can adapt to mitigation measures against these threats, using the reference listed in the Alert.