A report issued by the Five Eyes intelligence group calling out the continued use of free hacking tools has been derided as a condemnation of the security community and a thinly veiled attack on the Chinese government.
The report, jointly authored by the cyber-security agencies of the five member nations of Five Eyes – the US, UK, Canada, Australia and New Zealand – details five of the most commonly used and freely available hacking tools.
The report – drawn up by the the UK National Cyber Security Centre (UK NCSC), the US National Cybersecurity and Communications Integration Center (NCCIC), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS) and the New Zealand National Cyber Security Centre (NZ NCSC) – has ostensibly been produced to help the work of network defenders and systems administrators by providing advice on limiting the effectiveness of these tools and detecting their use on a network.
Among the tools described are remote access trojans (RATs), web shells, lateral movement frameworks, command and control (C&C) obfuscators and credential stealers. All of these have been used to compromise information across a wide range of critical sectors, including health, finance, government and defence, the report said.
The RAT singled out in the report is JBiFrost, a variant of Adwind. The report warned that this is typically employed by cyber-criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors.
The report also mentions a webshell called China Chopper. It has two main components: the China Chopper client-side, which is run by the attacker, and the China Chopper server, which is installed on the victim web server but is also attacker-controlled. The webshell client can issue terminal commands and manage files on the victim server.
Another tool mentioned is Mimikatz. This is used by attackers to collect the credentials of other users who are logged into a targeted Windows machine.
Cyber-security agencies also warned about a tool called PowerShell Empire. This is a lateral movement framework released in 2015 as a legitimate penetration testing tool. The tool provides a threat actor with the ability to escalate privileges, harvest credentials, exfiltrate information and move laterally across a network.
This tool was used in hacks of the UK energy sector and in Winter Olympics-themed socially engineered emails and malicious attachments as part of a spear-phishing campaign targeting several South Korean organisations.
The last tool detailed in the report is HUC Packet Transmitter (HTran). This enables hackers to obfuscate communications, as well as evade intrusion and detection systems on a network.
The report said the widespread availability of these tools "presents a challenge for network defence and actor attribution".
"Experience from all our countries makes it clear that, while cyber-actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated groups use common, publicly-available tools to achieve their objectives," it said.
Ross Rustici, senior director of intelligence services at Cybereason, told SC Media UK that the report is like a greatest hits album for a struggling record company.
"Everything is old, well known and generally elicits a sense of nostalgia mixed with loathing," he said.
"This report highlights the collective failure of the security community to adequately address known threats. The hacking community evolves based on necessity, and if tools from 2007 are still fundamentally successful, we will continue to see the use of these old favourites because there is no sense in fixing what isn't broken," he said.
"The fact that this release is essentially a veiled attempt to call out Chinese tools and activity without naming China directly likely serves a larger political purpose of trying to ramp up the narrative of China as an adversary that the Trump Administration is currently hyping," Rustici said.
"Free hacking tools are hardly a new phenomenon," said Paul Ducklin, senior technologist at Sophos. "That genie emerged from the bottle decades ago – so there’s not much point in trying to regulate it back in. Heck, text editors like NOTEPAD and a system configuration tools like the Windows Registry Editor are both hacking tools in the right-or-wrong hands."