FROM TOOL TO WEAPON: THE DUAL USE OF SOFTWARE BY ADVANCED PERSISTENT THREATS AND NON-STATE ACTORS
Автор: Samuel Giuliano Reale
Организация: Sheffield Hallam University
Категория:
Ключевые слова: Cyber Threat Intelligence, Malware, Threat Actors, TTPs, Offensive Security, Pentesting
Аннотация. The evolving threat landscape has seen a notable transformation in recent years, with both state-affiliated and non-state-affiliated threat actors increasingly turning to the use, weaponization, and exploitation of third-party dual-use software. This shift often replaces or supplements traditional malware. Key drivers of this trend include the widespread availability of dual-use software, which inadvertently provides advantages to threat actors when misused, and rapid advancements in cybersecurity tools capable of detecting and countering traditional “custom-built” malware. This change has significant implications for cybersecurity, particularly in areas like cyber threat intelligence, security operations centres, and red teaming. To stay ahead in this “cyber arms race,” the industry must adopt a more collaborative approach—sharing resources and fostering closer partnerships across all cybersecurity disciplines. Without such unity, responding effectively and decisively to the constant global threats to networks may become increasingly challenging.
Библиография:
Ainslie, Scott, Dean Thompson, Sean Maynard, and Atif Ahmad. 2023. ‘Cyber-Threat Intelligence for Security Decision-Making: A Review and Research Agenda for Practice’. Computers & Security 132 (September):103352. https://doi.org/10.1016/j.cose.2023.103352
Bhardwaj, Akashdeep, and Sam Goundar. 2020. ‘Keyloggers: Silent Cyber Security Weapons’. Net-work Security 2020 (2): 14–19. https://doi.org/10.1016/S1353-4858(20)30021-0.
Buckbee, Michael. 2022. ‘How to Use Netcat Commands: Examples and Cheat Sheets’. 9 June 2022. https://www.varonis.com/blog/netcat-commands
Buenning. 2024. ‘How to Use Nmap: Complete Guide with Examples | NinjaOne’. 2024. https://www.ninjaone.com/blog/how-to-use-nmap-complete-guide-with-examples
Cisa. 2020. ‘Publicly Available Tools Seen in Cyber Incidents Worldwide | CISA’. 30 June 2020. https://www.cisa.gov/news-events/cybersecurity-advisories/aa18-284a
2024. ‘Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure’, September.
Cobalt Strike Archive, dir. 2019. Red Team Ops with Cobalt Strike (1 of 9): Operations. https://www.youtube.com/watch?v=q7VQeK533zI
Colajanni, Michele, and Mirco Marchetti. 2021. ‘Chapter 7 Cyber Attacks and Defenses: Current Ca-pabilities and Future Trends’. In . https://china.elgaronline.com/edcollchap/edcoll/9781788976060/9781788976060.00015.xml
Eddy, Nathan. n.d. ‘Ukraine Military Targeted With Russian APT PowerShell Attack’. Accessed 18 December 2024. https://www.darkreading.com/cyberattacks-data-breaches/ukraine-military-targeted-with-russian-apt-powershell-attack
ETDA. n.d. ‘FIN6, Skeleton Spider - Threat Group Cards: A Threat Actor Encyclopedia’. Accessed 18 December 2024. https://apt.etda.or.th/cgi-bin/showcard.cgi?g=FIN6%2C%20Skeleton%20Spider&n=1
FireEye. 2016. ‘Tidal Cyber - Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6’. 1 April 2016. https://app.tidalcyber.com/references/8c0997e1-b285-42dd-9492-75065eac8f8b
GeeksforGeeks. 2024. ‘Nmap Scans for Cyber Security and Penetration Testing’. GeeksforGeeks. 30 August 2024. https://www.geeksforgeeks.org/nmap-scans-for-cyber-security-and-penetration-testing/.
Giacobbi. 2006. ‘The GNU Netcat -- Official Homepage’. 1 November 2006. https://netcat.sourceforge.net/.
Goody, Kimberly, Jeremy Kennelly, Jaideep Natu, and Christopher Glyer. 2019. ‘TrickBot Malware Infection Leads to Ryuk Ransomware’. Google Cloud Blog. 10 January 2019. https://cloud.google.com/blog/topics/threat-intelligence/a-nasty-trick-from-credential-theft-malware-to-business-disruption
Horwood, Penny. n.d. ‘Open Source Malware Attacks Triple in 2024’. Accessed 19 December 2024. https://www.computing.co.uk/news/2024/open-source/open-source-malware-attacks-triple-2024
Jamf, Protect. 2024. ‘ImproperUseOfNetcat - Jamf Protect Evaluation Guide | Jamf’. 2024. https://learn.jamf.com/en-US/bundle/jamf-protect-evaluation-guide/page/ImproperUseOfNetcat.html.
Jerzman, Bartosz, David Lu, Felipe Espósito, Goldstein Menachem, and Kolesnikov. n.d. ‘Masquerad-ing, Technique T1036 - Enterprise | MITRE ATT&CK®’. Accessed 19 December 2024. https://attack.mitre.org/techniques/T1036/
Joeware. 2023. ‘AdFind’. 2023. http://www.joeware.net/freetools/tools/adfind/
Kaaviya. 2024. ‘Threat Actors Hijacking Legitimate Software for Untraceable Cyber Attacks’. Cyber Security News (blog). 11 September 2024. https://cyberpress.org/threat-actors-hijacking-legitimate-software/.
Knipp, Eric, Brian Browne, Woody Weaver, C. Tate Baumrucker, Larry Chaffin, Jamie Caesar, Vitaly Osipov, and Edgar Danielyan. 2002. ‘Chapter 2 - What Are We Trying to Prevent?’ In Managing Cis-co Network Security (Second Edition), edited by Eric Knipp, Brian Browne, Woody Weaver, C. Tate Baumrucker, Larry Chaffin, Jamie Caesar, Vitaly Osipov, and Edgar Danielyan, 61–95. Burlington: Syngress. https://doi.org/10.1016/B978-193183656-2/50006-4.
Langlands, David. n.d. ‘Threat Advisory: CISA Warns of Malicious Use of Legitimate RMM Tools’. Accessed 18 December 2024. https://www.todyl.com/blog/key-takeaways-cisa-warning-malicious-use-legitimate-rmm-tools
Loeb, Larry. 2019. ‘FIN6 Expands Its Range With Ransomware’. 8 April 2019. https://www.darkreading.com/application-security/fin6-expands-its-range-with-ransomware
Marasinghe, Janantha. 2017. ‘PsExec, Software S0029 | MITRE ATT&CK®’. 25 September 2017. https://attack.mitre.org/software/S0029/
McKeague, Brendan, Ta Van, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, and Douglas Bienstock. 2019. ‘Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware’. Google Cloud Blog. 5 April 2019. https://cloud.google.com/blog/topics/threat-intelligence/pick-six-intercepting-a-fin6-intrusion
Mikalauskas, Edvardas. 2023. ‘Report: Buying Your Own Malware Has Never Been Easier’. Cyber-news. 30 March 2023. https://cybernews.com/security/buying-your-own-malware-has-never-been-easier/
Mitre. 2020. ‘AdFind, Software S0552 | MITRE ATT&CK®’. 28 December 2020. https://attack.mitre.org/software/S0552/
Morgan. 2024. ‘5 Critical Threat Actors You Need to Know About - ReliaQuest’. 30 October 2024. https://www.reliaquest.com/blog/5-critical-threat-actors-you-need-to-know-about/
NCSC. n.d. ‘Logging and Protective Monitoring’. Accessed 19 December 2024. https://www.ncsc.gov.uk/collection/device-security-guidance/managing-deployed-devices/logging-and-protective-monitoring
NMAP. n.d. ‘Nmap: The Network Mapper - Free Security Scanner’. Accessed 18 December 2024. https://nmap.org/
NordLayer. n.d. ‘What Is Access Control in Cybersecurity? | NordLayer Learn’. Accessed 19 Decem-ber 2024. https://nordlayer.com/learn/access-control/what-is-access-control/
Pluralsight. n.d. ‘Red Team Operations with Cobalt Strike’. Accessed 18 December 2024. https://www.pluralsight.com/paths/red-team-operations-with-cobalt-strike
Pluralsight. n.d. ‘Red Team Operations with Cobalt Strike’. Accessed 18 December 2024. https://www.pluralsight.com/paths/red-team-operations-with-cobalt-strike
Putty. n.d. ‘Download PuTTY - a Free SSH and Telnet Client for Windows’. Accessed 18 December 2024. https://www.putty.org/.
Pygrum. 2023. ‘Planning Your First C2 Framework’. Medium (blog). 20 November 2023. https://medium.com/@pygrum/planning-your-first-c2-framework-e6d55bb9336f.
Rahman, Alyssa. 2021. ‘Cobalt Strike | Defining Cobalt Strike Components & BEACON’. Google Cloud Blog. 10 December 2021. https://cloud.google.com/blog/topics/threat-intelligence/defining-cobalt-strike-components
Russinovich. 2022. ‘AD Explorer - Sysinternals’. 28 November 2022. https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer
Sadayappan, Bavi, Zack Riddle, Jordan Nuce, Joshua Shilko, and Kennelly. n.d. ‘Ransomware Re-bounds: Extortion Threat Surges in 2023, Attackers Rely on Publicly Available and Legitimate Tools’. Google Cloud Blog. Accessed 18 December 2024. https://cloud.google.com/blog/topics/threat-intelligence/ransomware-attacks-surge-rely-on-public-legitimate-tools.
Securework. n.d. ‘BRONZE PRESIDENT Targets NGOs’. Secureworks. Accessed 18 December 2024. https://www.secureworks.com/research/bronze-president-targets-ngos.
SentinelOne, SentinelOne. n.d. ‘What Is Cobalt Strike? Examples & Modules’. SentinelOne. Accessed 18 December 2024. https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-cobalt-strike/.
Stokkel, Mike, Pierre Gerlings, Renato Fontana, Luis Rocha, Jared Wilson, Stephen Eckels, and Le-pore. n.d. ‘APT41 Has Arisen From the DUST’. Google Cloud Blog. Accessed 18 December 2024. https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust.
Syamantec. 2020. ‘Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors’. Syamantec. 29 September 2020. https://www.security.com/threat-intelligence/palmerworm-blacktech-espionage-apt.
TechTarget. n.d. ‘What Is Behavior-Based Security? | Definition from TechTarget’. WhatIs. Accessed 19 December 2024. https://www.techtarget.com/whatis/definition/behavior-based-security.
ThreatDown. 2021. ‘Cobalt Strike, a Penetration Testing Tool Abused by Criminals’. ThreatDown by Malwarebytes. 1 June 2021. https://www.threatdown.com/blog/cobalt-strike-a-penetration-testing-tool-abused-by-criminals
Vandeven, Sally. 2017. ‘Domain Goodness - How I Learned to LOVE AD Explorer - Black Hills In-formation Security’. 15 May 2017. https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer/
Winder, Davey. 2020. ‘Revealed: The Supermarkets That Will Sell You Malware For $50’. Forbes. 28 April 2020. https://www.forbes.com/sites/daveywinder/2020/04/28/revealed-the-supermarkets-that-will-sell-you-malware-for-50
Меню