Are penetration testing tools infosecurity's Jekyll and Hyde?

News by Davey Winder

The first time you got your hands on powerful penetration testing tools, you must have thought 'just think what I could do with this'. And that's just what the criminals think too - and then they do it.

The newly published WatchGuard Internet Security Report for Q3 2019  reveals that two new malware variants involving Kali Linux penetration testing tools have debuted on the WatchGuard 'top ten' list of malware by volume.

The first of these was Boxter. This PowerShell trojan was used to both download and install applications onto a victim’s device without consent. The second was Hacktool.JQ, the only other authentication attack tool besides Mimikatz to make it into that top ten list. 

"It’s unclear whether the rise in these detections comes from legitimate pentesting activities or malicious attackers leveraging readily available open source tools," a WatchGuard spokesperson said.

However, that cyber-criminals are leveraging penetration testing tools is a given within the cyber-security industry. It really should come as no surprise that cyber-criminals will be using the same legitimate tools that are employed by penetration testers the world over. After all, they are often free, always readily available, and they work. One recent study determined that the majority of Advanced Persistent Threat (APT) groups use these pen-testing tools to execute their attacks, as well as legitimate system admin tools to enable them to maintain persistence within networks once they have been breached. 

"As a defender, we see regularly on our monitoring platforms use of tools such as MASSCAN and OpenVAS," Mike Thompson, co-organiser of the BeerConOne security convention says, "more subtle attacks such as SQLi can be attributed back to tools such as SQLMap, simply due to how the requests are constructed." 

And why wouldn't cyber-criminals use these common tools to undertake the heavy workload for them in terms of attack reconnaissance, asks co-founder of Human Firewall and a former European CISO of the year? Tucker isn't surprised that they do, given the multitude available for good and bad, including paid for, high subscription engines. "It's not like criminals haven't got the money to invest in the same tools as your red teams, threat hunters or pen testers," Tucker says, "its all a part of the same game of attack and defence, whether that is simulatory, exploratory or the actual adversaries. The tools and techniques apply to all." 

"It makes perfect sense that attackers would use tools which were developed to aid in penetration testing, especially since many of these are free," Sean Wright, chapter leader of OWASPScotland, told SC Media UK. "Why would they spend the time and effort creating their own, when they can simply use such tools?" The potential for malicious use is always a worry, and an oft-quoted criticism, concerning such pen-testing tools. 

Cobalt Strike and Metasploit Pro platforms are known to be particular favourites with cyber-criminals looking for known and unpatched vulnerabilities, including system mis configurations, for example. The problem with great cyber-exploitation tools is they don’t come with a moral compass," says Ian Thornton-Trump, cyber-threat intelligence expert and CompTIA global faculty member. "Cobalt Strike is probably the most dangerous tool that is being used both legitimately and illegitimately indiscriminately." Would some form of regulatory 'cyber-weapon arms control' make a whole heap of deference to cyber-criminals or APT actors? "Probably not," Thornton-Trump told SC Media UK, "but something needs to be done as we are putting very dangerous and serious tools into the hands of folks who may be of questionable ethics and motivations." 

"If anything can be learnt from this is that more companies should consider effective penetration testing from well known ethical hacking pen testing teams," Jake Moore, cyber-security specialist at ESET says, "it’s always better to be caught out by the good guys first and then patch those vulnerabilities whilst you still can." 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews