Originally seen: Forbes.com by Itzik Kotler on August 22, 2018
We’re all familiar with the idea of recycling as a means of reducing the waste stream. Most of us are in the habit of separating our paper, plastic, glass and metal trash from other garbage. What you may not know is that recycling is a major trend in the hacker community, too. Many of the data breaches that have struck in recent years were accomplished using software that has been around for a long time — today’s hack, yesterday’s technique.
Tools that have been proven effective at fooling users and sneaking past network defenses are regularly reused by hackers. Whether the software was developed specifically for hacking or as a tool with a legitimate purpose that has been adapted for a less savory one, the hacker community has become expert at extracting value from what already exists. As with commercial software development, it takes time and money for hackers to write and test their code, and in order to maximize their profits, it makes sense to recycle what works. Often, these tried-and-true products are packaged and sold to others, furthering their potential to do harm.
This large-scale recycling program means there is an abundance of bad actors spreading an abundance of viruses, trojan horses, ransomware and other junk intended to wreak havoc and steal money and intellectual property. One recent example of recycled software getting heavy use by the hacker community is Mimikatz, a tool used to capture passwords, user credentials and other sensitive information from Windows-based operating systems.
Mimikatz was first created in 2007 and since then has been instrumental in a number of large-scale malware attacks, including the NotPetya campaign that disrupted networks and commerce during the summer of 2017, costing affected companies hundreds of millions of dollars according to the tech journal eWeek. Mimikatz was also used in the PinkKite attack that infected retail point-of-sale (POS) systems, primarily throughout Europe and North America, stealing credit card data used in consumer transactions.
There are other common tools, many of which were developed for legitimate purposes, that have been co-opted by the hacker community in many malicious hacking campaigns. Microsoft originally created PowerShell to automate administrative tasks in Windows. Now PowerShell is available as open source code, supporting Linux and macOS, and available to the developer community — including hackers. PowerShell has been a key component in attacks using stolen passwords and digital credentials to give hackers access to and control of networks. PowerShell was used in the REDLeaves attack, discovered in 2016, targeting the health care and energy industries. PowerShell was also part of a state-sponsored attack targeting teams participating in the 2018 Winter Olympics.
Likewise, macros are small, code-based shortcuts developed for the Microsoft Office suite of products and are used to execute larger, more complex functions. Macros make life easier for Office users, but they have been adapted for spam attacks where they are embedded in attachments that look like legitimate files. Once clicked, the macro downloads malware to the victim’s computer, infecting it with whatever code the adversary wants. Macros were behind the Locky ransomware attack that bedeviled hospitals in the U.S. and elsewhere in 2016 by encoding important files that the hackers would only release upon receipt of payment in bitcoin.
While this illicit activity has contributed to the relentless assault on personal and corporate networks, it has one major flaw that chief information security officers (CISOs) can exploit to protect their networks and endpoints. Because so many hackers conduct campaigns using recycled code, mass-marketed malware and reused techniques, the number of attacks has increased. But that also makes it possible, with the right security strategy, to identify the key signatures in those campaigns and thwart such attacks before they are successful.
The NotPetya and PinkKite campaigns targeted two different kinds of systems. Both used Mimikatz because it worked well for the job it was designed to perform. There was no reason to invent, test and try a new tool for stealing the credentials essential for their hacks because Mimikatz was already available. Because both NotPetya and PinkKite used Mimikatz, defenses configured to detect their telltale signatures would have been able to detect its presence. Security teams which used such defenses were alerted to an attack and with this knowledge could have quickly intervened to thwart the campaign and prevent infection.
This is not revelatory. I previously wrote about an entire information/cybersecurity industry sector built on the collection, analysis and use of this information known as threat intelligence, as a key part of a cyber-defense strategy. Knowing this, why aren’t more organizations taking advantage of this major flaw in the hackers’ use of recycled and open-source code? The information security industry may be too focused on generating fear, uncertainty and doubt than in helping companies establish the security priorities needed to bring to bear all the capabilities available to them.
Because of the adversary’s reuse of hacking tools, CISOs should make sure their systems are calibrated to not only detect the newest zero-day threats but also thwart the malware and methods that continue to wreak havoc on their networks. The information security industry is turning the corner in its fight against the global hacker community, and keeping pace with the threat means building on what we already know. After all, the key to stopping tomorrow’s hack can often be found in the lessons learned from yesterday’s attack.