Cybercriminals are turning security tools into a means of attack

News
By published

Many open source security tools are being hijacked, experts warn

Malware Magnifying Glass
(Image credit: Andriano.cz / Shutterstock)

In a strange turn of events, popular penetration testing tools were found as being most commonly used by attackers. Cybersecurity researchers at Recorded Future's Insikt Group found Cobalt Strike and Metasploit as the most popular option for hosting malware command and control (C&C) servers.

The researchers collected more than 10,000 unique C&C servers across at least 80 malware families through 2020. 

“The most commonly observed families were dominated by open source or commercially available tooling,” the researchers wrote.

Wrong side of the fence

Penetration testing tools, also known as offensive security tools, and red teaming tools, have also found their way in the attackers' toolkits in recent years, the report found.

While Cobalt Strike accounted for 1,441 of the C&C servers, Metasploit followed close behind with 1,122. Together, the two were found in 25% of the total C&C servers. Furthermore, the group also noticed the adoption of lesser-known open source tools such as Octopus C2, Mythic, and Covenant. 

Outlining the reasons for their popularity, the researchers note that these tools have graphical user interfaces, and are thoroughly documented, which makes them easier to use, even by relatively inexperienced attackers.

That said, several of the groups who abused these tools were state-sponsored bad actors, according to the researchers, and were engaged in espionage operations. 

“Over the next year, Recorded Future expects further adoption of open source tools that have recently gained popularity, specifically Covenant, Octopus C2, Sliver, and Mythic,” write the researchers. 

The researcher’s report also contains several other interesting findings. For instance, the top four hosting providers with the most number of C&C servers in their infrastructure, namely Amazon, Digital Ocean, Choopa, and Zenlayer, were all based in the U.S.

Via: ZDNet

TOPICS
Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Passwordless authentication continues to grow, with biometrics helping push adoption
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
Stress
Complexity of IT systems could be increasing security risks for businesses
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
CEOs think they might lose their jobs if they can't deliver on AI
Tony Hawk's Pro Skater 3+4
From Ace of Spades to Them Bones, Tony Hawk's Pro Skater 3+4's soundtrack is already looking excellent
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD describes its recent RDNA 4 GPU launch as 'unprecedented' and promises restocking the Radeon RX 9070 XT as 'priority number one'
The Google Gemini logo against a black background.
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's upcoming Flash 2.0 built-in image upgrade
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
More about security
An American flag flying outside the US Capitol building against a blue sky

The FCC is creating a security council to bolster US defenses against cyberattacks
Ransomware

Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Hands typing on a keyboard surrounded by security icons

The psychology of scams: how cybercriminals are exploiting the human brain
See more latest
Most Popular
Mark and Devon sitting in a car in Severance season 2 episode 9
Severance season 2 episode 9 recap: 7 new theories I have about 'The After Hours', and answers about Mr Bailiff, devour feculence, Svalbard, and more
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD describes its recent RDNA 4 GPU launch as 'unprecedented' and promises restocking the Radeon RX 9070 XT as 'priority number one'
Wix Printful
Wix teams up with Printful for in-house print-on-demand tools
Mercedes-Benz CLA 2025
I’ve tried the new Mercedes-Benz Superscreen – and its Google Gemini-powered smarts push EV infotainment to the next level
Stress
Complexity of IT systems could be increasing security risks for businesses
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
CEOs think they might lose their jobs if they can't deliver on AI
Tony Hawk's Pro Skater 3+4
From Ace of Spades to Them Bones, Tony Hawk's Pro Skater 3+4's soundtrack is already looking excellent
The Google Gemini logo against a black background.
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's upcoming Flash 2.0 built-in image upgrade
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Dell Pro 75 Plus monitor pictured against a white background.
Dell just launched a $4,000 75-inch 4K touchscreen display - but I've found one rival that's 50% cheaper