This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the UK and USAFootnote 1.
In it we highlight the use of five publicly-available tools, which have been used for malicious purposes in recent cyber incidents around the world.
To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.
Nature of the tools
The individual tools we cover in this report are limited examples of the types used by malicious actors. You should not consider it an exhaustive list when planning your network defence.
Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states, or criminals on the Dark Web. Today, hacking tools with a variety of functions are widely and freely available, for use by everyone from skilled penetration testers, hostile state actors and organised criminals, through to amateur hackers.
These tools have been used to compromise information across a wide range of critical sectors, including health, finance, government and defence. Their widespread availability presents a challenge for network defence and actor attribution.
Experience from all our countries makes it clear that, while cyber actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated groups use common, publicly-available tools to achieve their objectives.
Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses. Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for an actor to gain access. The tools detailed here come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim’s systems.
The tools detailed fall into five categories: Remote Access Trojans (RATs), Web Shells, Credential Stealers, Lateral Movement Frameworks, and Command and Control (C2) Obfuscators.
The report provides an overview of the threat posed by each tool, along with insight into where and when it has been deployed by hostile actors. Measures to aid detection and limit the effectiveness of each tool are also described.
The report concludes with general advice for improving network defence practices.