Earlier this year, security researchers reported the use of legitimate security tools in multiple attacks against Ukrainian organizations, including government agencies, non-profits, and tech companies.
According to a Microsoft report, the legitimate security tools used included Impacket, a penetration testing tool.
The same tool showed up earlier this month, in an attack by Russian state-sponsored group Sandworm, which tried to take down a large Ukrainian energy provider, according to the Computer Emergency Response Team of Ukraine.
Now that same security tool has been identified as the number one global threat among customers of Red Canary, a managed detection and response company.
Security tools for good and evil
Impacket is what Red Canary calls a “dual use” tool. Businesses use these tools for both IT administration and testing, said Lauren Podber, the company’s principal intelligence analyst.
Impacket can be deployed for penetration testing of network protocols and services. But it can also be used to execute malicious code, enable lateral movement, and steal sensitive information.
Other dual-use tools that have been showing up frequently in attacks are BloodHound and Cobalt Strike, she told Data Center Knowledge.
BloodHound is an open source tool that can be used by security professionals to identify attack paths and relationships in an Active Directory environment.
Cobalt Strike is a commercial adversary simulation tool and is the go-to platform for many government agencies, large enterprises, and consulting organizations.
These dual-use tools are popular with attackers, she said.
“They provide adversaries with pre-built functionalities that allow them to conduct reconnaissance, move laterally in an environment, and steal credentials or other data,” Podber said.
It’s not just the Russians using them. Since these tools are widely available, they can be used by a wide variety of attackers, making it difficult to figure out who’s behind a particular incident.
“To complicate matters further, organizations often use these same tools and their capabilities for IT administration and penetration testing,” Podber said. “In some cases, the authorized use of a tool like Cobalt Strike, BloodHound, or Impacket, may be virtually indistinguishable from an adversary’s use of these tools.”
This means that security teams have to spend time and effort figuring out whether these tools are being used legitimately or not, she added. “We’d recommend that any organization have a clear understanding of authorized use of these tools in their environments and treat unconfirmed testing as malicious.”
For example, if a data center’s security teams normally use scanning tools like Impacket, having the tool show up might not in and of itself might not be suspicious.
But if the tools are applied by a user who doesn’t normally have any reason to touch them, or in a way that doesn’t match how they have been used in the past, then maybe there’s unauthorized activity going on.
“Similarly, the use of Impacket with other behaviors, for example an unusual scheduled task, can also signal that the activity may not be legitimate,” Podber said.
Chuck Everette, director of cybersecurity advocacy at Deep Instinct, likens unmonitored use of dual-use tools like Impacket to leaving the keys in a parked car.
“It allows anyone that stumbles upon them to utilize them,” he told Data Center Knowledge.
“The reason why weaponization of common or useful tools is so dangerous is that IT and security staff allow them to run in their environment as part of the normal processes,” he added. The tools themselves are common and not malicious as such.
“But in the hands of cybercriminals, they can be devastating in an organization’s environment,” he said.
It’s a major threat to cybersecurity if these tools are used without proper controls.
“Best practice is to restrict the use of these tools unless actively being used and monitored by an authorized member of IT or security staff,” Everette said. “Monitoring their use, restricting the use of these applications, and not allowing them to run in your environment is a best practice that should be followed meticulously.”