Recently, a report by the Australian Cyber Security Centre issued a report regarding the necessary tools and techniques which cybercriminals use to carry out attacks. The report titled as Joint Report on Publicly Available Hacking Tools. The report highlighted five basic tools and methods which a cybercriminal uses.
Let’s find more about these tools:
- Remote Access Tools:
It grants remote administrative control after installing on the target’s machine. This control enables the attacker to upload, download files, and execute commands, log keystrokes, and even record the user’s screen.
The remote access tools is a technique in which attackers send emails like attachments such as invoice, quotation requests, payment notices, and shipment notices to the targets. When targets open this information from any intellectual property to banking information so, it is easy to extract.
The RAT is capable of using the affected machines as botnets to carry out DDoS attacks. Example of RAT includes fake emails. These emails look like the original ones send malevolent RAT to a targeted audience to misuse their valuable data.
Organizations need to make sure that their network has updated version of antivirus to reduce the effects of RAT tools. Moreover, they also need to introduce a system of devices which can create a guideline of normal behavior. The behavior must be monitor continuously and should also hunt for suspicious activities.
- Web Shells- China Chopper:
These are the malicious scripts. They upload to a target host after an initial compromise and provide the attacker remote access into the network. After gaining access to the system, the web shells can make possible the lateral movement within a system.
For example, most commonly used web shell is China Chopper. A well-documented and freely available web shell which has seen frequent use since 2012.
The China Chopper web shell is famous for its extensive use by the attackers to access the targeted web servers remotely. On these servers, it provides the file and directory management, and get access to a virtual terminal on the attached devices. The China Chopper is small in size, and its modifiable payload makes recognition and mitigation difficult for network protectors.
The clients can use the terminal commands and quickly manage files on the victim’s server. The capabilities of web shell include both uploading and downloading of files, and the execution of arbitrary commands. Moreover, it is capable of using the operating system file-retrieval tools to download files to the victim and also the file system modification.
Having the latest updates along with security patches is essential. Also, secure the configuration applied. For common web vulnerabilities, custom applications need to get audited on a regular basis.
The China Chopper by default generates an HTTP POST for every interaction which an attacker performs. The network defenders can use these qualities and traits to identify the China Chopper shells. Later they decode the commands to understand the action taken.
Also, the adoption of Transport Layer Security by web servers shows that server traffic is becoming encrypted. It makes the detection of China Chopper activity which uses network-based tools much challenging.
- Mimikatz- Credential Stealer:
It is a tool used for gaining the credentials from memory. It was established in 2007 to use against the Windows systems. Its primary goal is to allow an attacker to obtain credential of others who are often logged into a targeted machine. All these credentials are reuse to provide access to some other device on a network.
The Mimikatz emerges as a standard tool utilized by various attackers to obtain credentials from the networks. The Mimikatz source codes are publicly available which enables cyber attackers to compile their versions. Within this new set up, the new Mimikatz plug-ins and extra tools can obtain and developed.
It is best for its ability to recover clear text credentials and jumbles from memory. The tool has been widely used by many attackers to carry out several incidents. In 2011, an unknown hacker used it to get administrative credentials from the Dutch certificate authority, DigiNotar.
Furthermore, it uses conjunction along with other hacking tools in 2017 NotPetaya and BadRabbit ransomware attacks. These attacks aim to extract the administrative credentials which are present on thousands of computers.
To prevent such type of attack, you need to update your Windows as it will reduce the information available to an attacker from the Mimikatz tool. The Microsoft aims to improve the protection offered in every Windows version.
After identifying the Mimikatz, experts’ advice organizations to perform a severe investigation to check if any attacker is available in their network or not, also, the network administrator must monitor and respond to unusual and illegal account creation. The network and log monitoring solutions can quickly help to identify such type of attack.
- Power Shell Empire:
The Power Shell Empire tool offers the ability for a criminal to exploit information in various ways after getting initial access to the victim’s sIt produces malicious documents, extract information and move among a network. A combination of unique empire framework along with a wide range of skills aims within the Empire user community makes it an essential tool for those who commit a crime.
It has become quite popular among all attackers to carry out organized crimes. The Power Shell Empire allows an attacker to carry out a wide range of actions on the targets devices. Also, it enables the PowerShell scripts to run without ‘’powershell.exe’’. The communication is being coded, and its architecture is quite flexible too. It often uses modules to perform more particular and malicious actions. In this way, the attackers get a customizable range of options to chase their goals on the target’s systems. These also involve the appreciation of privileges, credentials obtaining, host record, and the capability to move creatively across a network.
A UK energy company was hit by an unknown attacker in February 2018. The attacker receives identified by Empire beaconing activity by using Empire’s default profile settings. The puny credentials on one of the target’s administrator’s accounts assume to have provided the attacker with the initial access to the network.
The organizations must log PowerShell involving the script block logging and PowerShell transcripts to recognize the possible malicious scripts.
- HTran- Command and Control Obfuscators:
It is available since 2009. It is typically designed to obscure and complicate the communication among the attacker and victims’ network. The attackers use this technique to resend the network traffic to different hosts and ports. It can enforce to allow the attackers to readdress their packets via other targeted networks.
The HTran can run in various modes. It includes servers used to listen on a local port and resend the traffic; Proxy used to hear on a local port and resend the data. At last, the client used to connect an IP address and resend the data.
To avoid it, techniques such as network segmentation and network firewalls can assist to prevent and restrict the effectiveness of HTran.
A cyber attacker has various purposes of targeting a victim’s device or system. But whatever the aim and purpose might be, due to the security vulnerabilities these perpetrator gets initial access to the system.
It is essential for the organization to improve the security backbone of their network. Moreover, you should also adopt the recommendations mentioned above to avoid and reduce the effectiveness of an extensive range of cyber-attacks.