In a rapidly evolving cyber landscape, the basic layer of protection hinges on recognizing malicious tools and behaviors before they can wreak havoc. Security vendors are constantly researching and mapping malware types and families, attributing them to specific threat actors and campaigns, and identifying the associated techniques, tactics, and procedures (TTPs) that inform robust security cycles and policies.
However, as detailed in CheckPoint Research’s 2023 Cybersecurity Trends report, threat actors are perfecting their attack techniques to bypass sophisticated cybersecurity solutions. The growing trend involves a shift away from custom malware towards the use of non-signature tools that exploit built-in operating system capabilities and tools already installed on target systems. Threat actors are increasingly leveraging popular IT management tools, which are less likely to raise suspicion when detected, as well as commercial off-the-shelf pen testing and Red Team tools.
While weaponizing legitimate tools is not a new phenomenon, its adoption has broadened significantly. Once a rare tactic employed exclusively by sophisticated actors, it has now become a widespread technique used by threat actors across the spectrum. This trend underscores the need for organizations to remain vigilant and adapt their security strategies to tackle emerging threats effectively.
Living Off the Land Attacks: Stealthy Exploitation of System Utilities
Living Off the Land (LOTL) or LOLBin attacks have been present for several years, cunningly exploiting legitimate utilities already available within targeted systems. Attackers use these utilities to download and execute malicious files, conduct lateral movement, and execute general commands. On Windows OS, these utilities often involve command shell, Windows Management Instrumentation, and native Windows scripting platforms such as PowerShell, mshta, wscript, or cscript.
This technique enables attackers to stay under the radar, as legitimate software and native OS binaries are less likely to raise suspicion and are typically whitelisted by default. Furthermore, attackers often use these utilities for fileless attacks, leaving fewer traces as no malicious artifacts are written to hard drives. This stealthy approach not only makes incident response and remediation work more complex but also highlights the importance of adapting security strategies to counter emerging threats effectively.
Offensive Frameworks: Exploiting Penetration Testing Tools
A robust security program requires constant testing to identify vulnerabilities and weaknesses within networks and deployed systems. Organizations often depend on Red Team professionals to mimic cyberattacks, employing multiple tools to assess the environment’s resilience. However, many of these tools, either free or available for purchase in criminal circles, are also used by threat actors.
Cobalt Strike, the most widespread penetration testing tool used by threat actors, has been especially vulnerable since its source code leak in 2020. Another legitimate offensive framework, Brute Ratel, employs a licensing process where customers must pass a vetting process before obtaining a license to ensure the software is not used maliciously. However, as cybersecurity solutions increasingly focus on Cobalt Strike detections, some threat actors have quietly switched to Brute Ratel for their 2022 attacks, even creating fake US companies to bypass the licensing verification system.
A Palo Alto Networks report on Brute Ratel identified techniques associated with APT29, suggesting adoption by APT-level actors. Researchers also discovered the BlackCat ransomware gang’s use of the tool since at least March 2022, indicating that threat actors have managed to circumvent the developer’s verification procedure. This trend highlights the need for continuous adaptation of security strategies to effectively tackle emerging threats.
Emerging Offensive Frameworks
In 2022, the emerging offensive framework Manjusaka, a Chinese counterpart of Cobalt Strike, was detected and is freely available on GitHub. This tool was observed in campaigns targeting the Haixi Mongolian and Tibetan Autonomous Prefecture region in China. Additionally, the Sliver framework gained popularity throughout the year, being used in multiple campaigns.
Check Point Research discovered a two-year-long campaign targeting financial organizations in French-speaking regions of Africa earlier this year. Attackers deployed several tools, including Metasploit and PoshC2, another offensive framework available on GitHub. DWservice, a legitimate remote access service with a free plan, was also found in this campaign. These easy-to-use tools are exploited by actors with varying levels of technical expertise, and their use is expected to increase at different stages of offensive operations. This highlights the importance of staying vigilant and adapting security strategies to counter emerging threats effectively.