{"id":15140,"date":"2016-05-03T13:49:12","date_gmt":"2016-05-03T13:49:12","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=5522"},"modified":"2020-02-26T11:09:07","modified_gmt":"2020-02-26T16:09:07","slug":"testing-the-mettle","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/testing-the-mettle\/15140\/","title":{"rendered":"Testing the mettle: legit tools for illicit cyberespionage"},"content":{"rendered":"<p><a href=\"https:\/\/securelist.com\/blog\/software\/74503\/freezer-paper-around-free-meat\/\" target=\"_blank\" rel=\"noopener\">Securelist<\/a> has released a thoughtful \u2013 and somewhat pessimistic \u2013 report on cybercriminals using an open source security testing tool for browsers with malicious purposes. The browser exploitation framework, also known as BeEF, a free and open pentest tool, has been used extensively during a number of various attacks including quite a few high-profile ones.<\/p>\n<p><strong>New trend: hackers go\u00a0low-tech<\/strong><\/p>\n<p>According to Kaspersky Lab\u2019s researchers, this is a new trend in the cyberunderground. Instead of writing their own malicious tools, criminals are increasingly <a href=\"https:\/\/business.kaspersky.com\/high-tech-crimes-not-too-high-after-all\/2393\/\" target=\"_blank\" rel=\"noopener nofollow\">using off-the-shelf malware<\/a>\u00a0more and more often \u2013 totally legitimate software.<\/p>\n<p>BeEF? \u2013 absolutely \u201cclean,\u201d developed with clear and useful purpose. Here\u2019s an excerpt from the official description:<\/p>\n<p><em>\u201cIt is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.\u201d<\/em><\/p>\n<p>The penetration testing procedure and a malicious attack are only different by their outcome and by whether the hackers are ethical or not.\u00a0Technically, they are the same (or almost the same) thing. Malicious hackers are pentesters, of sorts. But an attacked business isn\u2019t going to pay for such \u201cservices\u201d voluntarily.<\/p>\n<p><strong>Not the first time<\/strong><\/p>\n<p>BeEF isn\u2019t the first legit tool to be used maliciously; far from it.<\/p>\n<p>Kaspersky Lab experts earlier observed APT actors using legitimate security and pentesting tools \u2013 <a href=\"https:\/\/securelist.com\/blog\/research\/73638\/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks\/\" target=\"_blank\" rel=\"noopener\">Metel group and GCMan<\/a>. The latter use only legitimate tools in their activities \u2013 <a href=\"http:\/\/www.chiark.greenend.org.uk\/~sgtatham\/putty\/\" target=\"_blank\" rel=\"noopener nofollow\">PuTTy<\/a>, VNC (check out: <a href=\"https:\/\/www.offensive-security.com\/metasploit-unleashed\/vnc-authentication\/\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/www.offensive-security.com\/metasploit-unleashed\/vnc-authentication\/<\/a>) and <a href=\"https:\/\/www.offensive-security.com\/metasploit-unleashed\/about-meterpreter\/\" target=\"_blank\" rel=\"noopener nofollow\">Meterpreter<\/a> utilities.<\/p>\n<p>Securelist also mentions APTs <a href=\"https:\/\/securelist.com\/blog\/research\/65240\/energetic-bear-more-like-a-crouching-yeti\/\" target=\"_blank\" rel=\"noopener\">Crouching Yeti<\/a>,\u00a0<a href=\"https:\/\/securelist.com\/blog\/incidents\/35520\/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8\/\" target=\"_blank\" rel=\"noopener\">TeamSpy<\/a> which used both open source offensive toolkits and legitimate software to conduct their attacks.<\/p>\n<p>Not to put too fine a point on it, there\u2019s a well known Rapid7\u2019s Metasploit product; officially legitimate, it has about 900 working exploits included, so even some script-kiddies may be able to hit any underprotected network hard.<\/p>\n<p>Going back to BeEF, Kaspersky Lab\u2019s experts say they are seeing more and more hacking groups using this tool as \u201can attractive and effective alternative\u201d to malware tools.<\/p>\n<p>\u201cThis fact should be taken into account by corporate security departments in order to protect the organization from this new threat vector,\u201d says Kurt Baumgartner, principal security researcher at Kaspersky Lab.<\/p>\n<p><strong>Counteraction (don\u2019t expect a downhill battle)<\/strong><\/p>\n<p>Kaspersky Lab\u2019s GReAT team says effective prevention of attacks involving beef requires a mix of technologies, since there are a number of techniques used by the attackers. Unless turning off JavaScript isn\u2019t an option (and in most cases, it isn\u2019t), the combination of network and host based detection is required to fully handle more serious incidents.<\/p>\n<p>There\u2019s a Chrome browser plugin that detects the BeEF cookie, but serious players easily evade it.<\/p>\n<p>Preventing the social engineering sessions for credential theft and Metasploit exploit integration makes immediate sense and can be incorporated at the network and more effectively at the host level, GReAT says.<\/p>\n<p>However, battling a really determined attacker using tools like BeEF would be a difficult task, GReAT says.<\/p>\n<p>There are no \u201csilver bullets\u201d against attacks like these, but there is a multi-layer approach to security, which is a necessity\/good practice today (and ever).<\/p>\n<p>And since targeted attacks are on the rise over the last few years, Kaspersky Lab has developed specialized solutions to battle them specifically. <a href=\"https:\/\/www.kaspersky.com\/au\/enterprise-security\/anti-apt\" target=\"_blank\" rel=\"noopener nofollow\">Anti-APT<\/a> is one of them. Also check out Securelist\u2019s paper <a href=\"https:\/\/encyclopedia.kaspersky.com\/knowledge\/strategies-for-mitigating-advanced-persistent-threats-apts\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener\">\u201cStrategies for Mitigating Advanced Persistent Threats (APTs)\u201d<\/a> to learn more about targeted attacks and mitigating them.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Instead of writing their own malicious tools, criminals are increasingly using the off-the-shelf malware, and more and more often &#8211; totally legitimate software.<\/p>\n","protected":false},"author":209,"featured_media":15323,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[499,2414,2301,2415,2416,2417,97,81],"class_list":{"0":"post-15140","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-apt","10":"tag-beef","11":"tag-enterprise","12":"tag-metasploit","13":"tag-penetration-test","14":"tag-pentest","15":"tag-security-2","16":"tag-targeted-attacks"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/testing-the-mettle\/15140\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/testing-the-mettle\/15041\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/testing-the-mettle\/15140\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/testing-the-mettle\/15140\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15140","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=15140"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15140\/revisions"}],"predecessor-version":[{"id":33685,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15140\/revisions\/33685"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15323"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=15140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=15140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=15140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}