Free, easy to use, and available to anyone: The powerful malware hiding in plain sight on the open web

When people hear about a cyber attack or hacking campaign, they may picture a well-oiled machine that's taken time, skills, and resources to build.

They imagine underground forums on the dark web, where attackers can buy powerful malware and unleash it on their target of choice.

But what if having access to the funding and contacts necessary to deliver attacks with the power of state-backed campaigns wasn't required?

In some cases, tools which can be used to conduct malicious cyber operations, ranging from espionage to taking down infrastructure are freely available on the open web. Even state-backed operations have taken advantage of these free tools, as part of sophisticated cyber campaigns.

There are various sources for this code, which is commonly available on developer forums and from code repositories like GitHub. There are often messages stating that the code is for research purposes only, but that doesn't stop it being used for malicious intent.

Sometimes this source code is released intentionally; in other cases it is leaked. EternalBlue, the leaked SMB exploit that just weeks after being let loose was used to power the global WannaCry ransomware outbreak then went onto help spread NotPetya.

There's also a third category of tools that, while not explicitly designed to be damaging, can be abused to provide attackers with the ability to traverse infected networks, monitor systems and more.

"There are things which aren't malware in the strictest sense of the word, but post-exploitation tools, like Metasploit and Mimikatz which malware operators frequently use," says Robert Lipovsky, senior malware researcher at ESET.

No matter the origin of the open source malicious code, it provides attackers with a free and easy means of performing cybercrime. There's no need to open Tor and gain credibility in dark web forums before being able to make a purchase, the code can be freely plucked from the regular internet.

"These tools are so incredibly simple that once you download it from GitHub, you go into the configuration file and change things - it's very easily customizable," says Randi Eitzman, senior cyber threat analyst at FireEye. "They're not having to pay anyone for these services, it's already on the internet for them".

There are even forums and tutorial videos that allow attackers with even the lowest level of knowledge to attempt to grab a piece of the pie - especially when cryptocurrency mining is involved.

Using your own machine to mine for Monero or Bitcoin is perfectly legal, while usingcrypojacking malware to secretly hijack other machines to generate it is a criminal activity.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

However, instructions on how to set up mining tools are out there and readily available.

"There's tonnes of videos on YouTube and resources on the internet which mean anyone can search and pull up a 'how to configure your XMRig configuration file' or 'how to set up a custom pool'. It's very easy, someone who doesn't code can follow these tutorials online and do it in an afternoon," Eitzman says.

In some instances, the code behind malware was never meant to be malicious. A prominent example of this is Hidden Tear, referred to by some analysts as "open-source ransomware". Its source code was published in 2015 to GitHub for educational purposes, with the attention of allowing users and researchers to examine it and help develop protections against file-encrypting malware.

However, it wasn't long before people were taking advantage of a free ransomware kit, and Hidden Tear became an easy way for attackers with very little experience to extort money by locking files -- even school kids were getting in on the act.

"A few teenagers got arrested for using Hidden Tear to make some extra cash around school - so yeah, it's definitely easy, people in their teens are forking ransomware" says Chris Doman, security engineer at AlienVault.

The original Hidden Tear GitHub project was abandoned three years ago, but by that point, attackers had already got their hands on the code and had made copies of it, they even continued to improve and make it more effective.

Even today, despite something of a decline in ransomware, cyber criminals are still tinkering with the Hidden Tear code, a new version of it called Poolezoor emerged in August, demonstrating how once malicious code is released into the wild, it can remain a problem for years to come.

Hidden Tear is far from the only example of how criminals repurpose available exploits. The EternalBlue exploit began life as a secret NSA hacking tool before being exposed by a hacking group and published online. Just weeks later EternalBlue had been used to power the WannaCry ransomware, a huge cyber attack that took down infrastructure across the world.

WannaCry wasn't the only attack that exploited the worm-like capabilities of the exploit to spread. NotPetya followed suit and criminals increasingly turned to the openly available EternalBlue as a means of making their malware more potent. It has been used to improve trojans and is still being used to deliver cryptojacking malware.

Like the code behind Hidden Tear, EternalBlue was made available online for free - providing cyber criminals with access to powerful tools originally developed by a nation state.

"EternalBlue would probably be a million bucks to make, but now WannaCry and other hacking attacks are free - they're capable cyber weapons, which is a bit scary," says Doman.

Beyond cyber criminals taking advantage of leaked nation-state developed toolsets, nation-state hacking operations are increasingly turning to freely available tools to aid espionage and other cyber campaigns.

See also: Cyberwar: A guide to the frightening future of online conflict

In late 2015 and early 2016, cyber attacks against the Ukrainian energy grid resulted in parts of the country suffering power cuts during the coldest and darkest part of the year. Dubbed Black Energy, the campaign is heavily suspected to be the work of Russian state-sponsored hackers.

The phishing campaign and custom-built malware bear the hallmarks of a highly sophisticated threat actor, but it also took advantage of tools available online.

In this case, it was a tool freely available on GitHub called GCat backdoor, which allows attackers to download executables and execute shell-commands. Attackers controlled the backdoor via a Gmail account, making the traffic difficult to detect in the network as attackers went about causing disruption.

This case demonstrates one of the key advantages of using these tools -- they're more easily able to avoid discovery than most forms of malware as in many cases, despite not being released for malicious purposes, they're exploited to do so -- and can do this without triggering detection by security software.

"It's able to slip under the radar of network administrators," says Lipovsky "Remote access, remote administrator tools, they're a good example of stuff that can be legitimate or malicious depending on who is using it."

Another suspected Russian hacking operation, Turla, is also known to have used freely available software in attacks, demonstrating how potent some of the tools available via the open web can be.

"When the Russian military is using free stuff, you know how good that stuff is as they have enough money to build their own tools," says Doman.

Being free and potentially very powerful aren't the only benefits of using freely available code for cyber criminals because sourcing from GitHub offers cyber criminals another big advantage -- it makes the attackers more difficult to trace.

"It makes attribution more difficult, because with tailored, custom-made malware, that can often be attributed to a group of attackers. While with code used by many operators, it's difficult to say who's using it," says Lipovsky.

This is likely to become a bigger problem in future, as attackers -- especially APT groups -- look to use these tactics to make attacks more difficult to detect and trace.

Tools like Metaspolit and Mimikatz have legitimate purposes but can be used maliciously, while using the same free code as other attackers makes locating the perpetrator much more difficult.

"It's just going to become increasingly challenging to detect these tools as they're shared, edited and changed - it's a big challenge going forward," says Eitzman.

That's not to say hacking groups are going to be turning their backs on custom-built malware, but the availability of potent free tools that can be exploited for malicious purposes adds another string to the attacker's bow. "Criminals have always used what they can get their hands on," says Doman.

However, these attacks aren't a cheat that allows attackers to play the hacking game on easy mode -- those using these tools have been detected, and in some cases have faced the consequences of their actions.

And crucially, these attacks can be detected and stopped -- or even protected against outright -- if organisations have a tight grasp on what's going on in their network.

"Businesses need system administrators who know their network well, who know what's running on those machines and know the network well, and be able to identify files and behavior which shouldn't be there," says Lipovsky.

Two CERT Alerts with No Known Solution

Six days after researchers discovered and publicly disclosed a vulnerability that affects the Ghostscript suite of software, a CERT alert was issued for a vulnerability found in the Microsoft windows task scheduler that allows hackers to gain elevated system privileges.

The latest Microsoft Windows task scheduler contains a local privilege escalation vulnerability. "With the latest Windows OS vulnerability made public, IT professionals need to be extra vigilant regarding their network users' behaviors," said Justin Jett, director of audit and compliance for Plixer.

"The PoC released by researcher, SandboxEscaper, on Twitter gives malicious actors leverage needed to break into organizations to steal valuable information. Network traffic analytics should continue to be used to detect anomalous traffic going across the network and to spot where users are behaving in a way that they historically don't," Jett continued.

"We'll have to wait for Microsoft to respond, but if nothing is released until the scheduled September 11 Patch Tuesday, hackers will have a two-week window to take advantage of this vulnerability."

In a second Ghostscript vulnerability, disclosed by the eSentire Threat Intelligence team, implementing the -dSAFER sandbox, which is intended to validate content, can circumvent the sandbox to allow malicious content through. By sending a malformed file (PDF, PostScript, XPF or EPS), a malicious actor is able to carry out the attack so that when the file reaches the Ghostscript interpreter, it infects the host machine by automatically executing.

"If exploited the vulnerability could allow a remote, unauthenticated threat actor to run commands, create files and delete or extract data. The exploitation of this vulnerability has not been seen in the wild at this time, but proof of concept code has been released. It is likely that more widespread exploitation attempts will be seen in the near future," researchers wrote in a post today.

A patch has not yet been released; however, researchers wrote, "a potential short term fix for this vulnerability is to disable PS, EPS, PDF, and XPS coders. This is not recommended due to the high potential for business disruption. Due to the wide range of programs that rely on Ghostscript this vulnerability should be taken seriously and patches should be applied as soon as vendors make them available."

Some of the several systems known to be infected include Artifex Software Inc., CentOS, LinkUs, Ubuntu, SUSE Linux, and Red Hat Inc. There is potential that Apple, Arch Linux, Arista Networks Inc. and ASP Linux are also affected. eSentire advised that patches should be applied as quickly as possible once the patches are released.

Instagram Boosts its Security With a Fave-Worthy Update

SOCIAL MEDIA PLATFORMS' struggle with safety and security is like a game of Whac-A-Mole. One day, the threat is coordinated bot activity; the next, it's SIM hijackers stealing the identities of regular users. In an effort to protect Instagram users from these and other threats, the company announced a set of features today designed make Instagram feel "safer," including ways to protect your own account and to verify whether the accounts you follow are genuine or not. 

First, all users will soon be able to use a more robust form of two-factor authentication to log into Instagram. Previously, Instagram offered two-factor authentication with a code sent via SMS-better than nothing, but insufficient to protect all Instagram users from having their accounts compromised. (Users with "valuable" handles may be more vulnerable to scams like SIM hijacking, where hackers access a person's phone number and use it to log into their accounts and steal their usernames.) Now, the platform will allow integration with third-party authenticators, like DUO Mobile and Google Authenticator, which supply two-factor codes locally and provide an additional layer of security against account hacking.

Kids With Cell Phones More At Risk Of Cyber-Bullying

The findings showed that children who owned cell phones were significantly more likely to report being a victim of cyberbullying, especially in grades 3 and 4. 

The increased risk could be tied to increased opportunity and vulnerability.