To help network defenders around the world Canada and the other members of the Five Eyes intelligence partnership have issued a report detailing five publicly-available tools used by threat actors, including advice on how to limit their effectiveness and to detect their use.
“Experience from all our countries makes it clear that, while cyber actors continue to develop their capabilities, they still make use of established tools and techniques,” says the report, available on the home pages of each country’s cyber centre (see below). “Even the most sophisticated groups use common, publicly-available tools to achieve their objectives.”
The tools detailed fall into five categories: Remote Access Trojans (RATs) with the JBiFrost tool highlighted; Web Shells, with the China Chopper tool highlighted; Credential stealers, with Mimikatz highlighted; Lateral movement frameworks, focusing on PowerShell Empire; and Command and Control (C2) obfuscators, with HUC Packet Transmitter highlighted.
The report outlines the threat posed by each tool, where and when it has been deployed and ways to aid detection and limit the effectiveness of each tool.
So, for example, the section on the JBiFrost Remote Access Trojan — used to remotely take over a computer to install malware and exfiltrate data — notes it can have these indicators of compromise:
- Inability to restart the computer in safe mode;
- Inability to open the Windows registry editor or task manager;
- Significant increase in disk activity and/or network traffic;
- Connection attempts to known malicious IP addresses; and
- Creation of new files and directories with obfuscated or random names.
Defences include patching systems, updated anti-virus and strict application whitelisting.
This is not an exhaustive list of attacker tools, the report cautions.
The report also helpfully has a list of 22 general cyber security mitigations, many of which are well-known (for example, set a strong password policy and multifactor authentication, treat people as your first line of defence). There’s also a link to a page of things management and boards should know and ask. This list could be valuable to small and medium-sized businesses who have small IT departments, because each mitigation includes links to other resources.
Note that many of these resources are specific to the websites of each country. So, for example, many of the links on the page from the Canadian Centre for Cyber Security go to the government’s cyber.gc.ca site for more advice on carrying out these mitigations, while links for more information on the U.S. CERT page go to pages on that site or Britain’s National Cyber Security Centre. IT pros may want to look at each of the five sites to see if they carry information that might be more helpful than the Canadian site alone.
The report was prepared by the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the U.K. National Cyber Security Centre (UK NCSC) and the U.S. National Cybersecurity and Communications Integration Center (NCCIC).