Stay in touch

Enter your email and get the latest news and researches on cybersecurity, receive invitations to private security events and conferences.

Hacked for free - the new status quo?

Tuesday, May 9, 2017 By

Breakdown of new attack group shows it mainly uses free online tools in attacks, rather than bespoke malware


One of the great truisms of IT security is that fearing the bogeyman, the skilled hacker, the state-backed actor with endless resources and inconceivable talent is actually a hiding to nothing. Sure, these groups and individuals exist, and of course their skills and abilities are extensive, but 99.9 per cent of the time it’ll be the shared password with LinkedIn, the poorly-coded finance application or the lost laptop that will really cause your business security headache.

Hacked for free - the new status quo?

A new whitepaper by Bitdefender focussing on a recently discovered attack group summarises these fears, as the group is successfully attacking targets in droves, but mainly by using free, commonly available tools rather than expensive, bespoke zero-days - hiding in plain sight, as the saying goes.

Bitdefender has dubbed the malware the group uses “Netrepser”, and has identified hundreds of attacks by the group, mainly targeting classified government networks, over at least 12 months. “From its discovery in May 2016 until now, the group behind it has compromised about 500 computers and exfiltrated an unknown number of documents, login credentials or other pieces of intelligence”, states the report.

The main piece of malware identified by the researchers is equipped with an array of methods to steal information, ranging from keylogging to password and cookie theft. It is built around a legitimate, yet controversial recovery toolkit provided by Nirsoft, which will be recognised by many security appliances, but not flagged as malware because it has legitimate uses. The legitimate applications built by Nirsoft can be used to recover cached passwords or monitor network traffic via powerful command-line interfaces, but can also be instructed to run completely covertly. The hackers have harnessed this covert ability, and added in a range of free tools and utilities to carry various jobs, such as popular compression tool WinRAR to compress data for exfiltration, for example. “Netrepser is more than a commercial-grade tool”, summarised the researchers, and with not a zero-day in sight.

Ilia Kolochenko, CEO of High-Tech Bridge, said: “The fact is that expensive zero-day exploits are rarely required to compromise a business network these days. To begin with, more than 76 per cent of users reuse or share passwords for a start. Speaking about web applications, we can even say that attackers almost never need a zero-day, as many companies host in-house web applications riddled with high or critical vulnerabilities, which an experienced attacker can detect and exploit within a few hours. The breach of 156,959 TalkTalk’s customers via a simple SQL injection is a good example when zero-day is not really needed to get to the crown jewels.

Last, but not least, many buyers and sellers of cybercrime services just cannot afford to pay for a good zero-day. All these factors move zero-days to the modest last place among detected and reported attack vectors.

On the downside, the Netrepser malware and the group behind it not only demonstrate that spending big on zero-days or bespoke malware isn’t necessary, but also highlights how easily legitimate tools within an organisation can be hijacked by malicious actors. Of course, using open source or free tools also means that attributing an attack is made much more difficult too, making this strategy particularly attractive for politically sensitive attackers, as well as making them impossible to ‘detect’. There’s a list of IOC’s at the end of Bitdefender’s whitepaper, for what it’s worth.

It seems unlikely that this trend is going to go away, at least for high-value targets. Maybe banning WinRAR from your network is the answer...


Mark Mayne Mark Mayne has covered the security industry for more than 10 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.

User Comments
Add Comment