Skip to main content

Cybercriminals are turning security tools into a means of attack

Malware Magnifying Glass
(Image credit: Andriano.cz / Shutterstock)

In a strange turn of events, popular penetration testing tools were found as being most commonly used by attackers. Cybersecurity researchers at Recorded Future's Insikt Group found Cobalt Strike and Metasploit as the most popular option for hosting malware command and control (C&C) servers.

The researchers collected more than 10,000 unique C&C servers across at least 80 malware families through 2020. 

“The most commonly observed families were dominated by open source or commercially available tooling,” the researchers wrote.

Wrong side of the fence

Penetration testing tools, also known as offensive security tools, and red teaming tools, have also found their way in the attackers' toolkits in recent years, the report found.

While Cobalt Strike accounted for 1,441 of the C&C servers, Metasploit followed close behind with 1,122. Together, the two were found in 25% of the total C&C servers. Furthermore, the group also noticed the adoption of lesser-known open source tools such as Octopus C2, Mythic, and Covenant. 

Outlining the reasons for their popularity, the researchers note that these tools have graphical user interfaces, and are thoroughly documented, which makes them easier to use, even by relatively inexperienced attackers.

That said, several of the groups who abused these tools were state-sponsored bad actors, according to the researchers, and were engaged in espionage operations. 

“Over the next year, Recorded Future expects further adoption of open source tools that have recently gained popularity, specifically Covenant, Octopus C2, Sliver, and Mythic,” write the researchers. 

The researcher’s report also contains several other interesting findings. For instance, the top four hosting providers with the most number of C&C servers in their infrastructure, namely Amazon, Digital Ocean, Choopa, and Zenlayer, were all based in the U.S.

Via: ZDNet