Best Hacking Tools of 2019 – The Chinese Annual Hit List

The human fondness for annual lists ranking the “best of” apparently does not skip the Chinese hacking world. A post on a prominent Chinese hacking forum, published on the afternoon of December 29, 2019, has gained much recognition and popularity both inside and outside the forum in recent weeks. The post, written by the forum’s admin and named “2019 year-end hacking tools inventory,” lists the 30 “most outstanding” hacking tools for 2019, as recommended for the forum’s members.

Starting hours after its initial publication, and continuing for several days thereafter, the post was copied to other Chinese forums, as well as to web security blogs and web security sections in popular Chinese portals. Within the forum itself, it has attracted dozens of supportive comments, most of them praising and thanking the forum’s admin for his “contribution to the community.” This post is part of a larger tendency in Chinese hacking forums, where lists of hacking tools intended for novices who use these forums as learning platforms are becoming increasingly prevalent and popular.

China_Cobalt-Strike

The original forum post, showing the first tool on the list – Cobalt Strike

A Diversified Collection

The list contains 30 tools ranked according to their “superiority”, efficiency and utility. Most of the tools on the list (22) are of non-Chinese origin, whereas the rest (8) seem to be original Chinese creations. Although the original post does not provide links for downloading the tools, most are easily traceable and accessible for downloading on the web. The non-Chinese tools are widely available either from the official or designated website of the developer or on GitHub, whereas most Chinese tools are available either on GitHub or on local Chinese web platforms.

Not all recommended tools on the list are attack tools per se. On the contrary, some are legitimate tools, published as commercial programs by established companies, aimed at increasing users’ awareness and protection levels against vulnerabilities. Others are penetration testing tools, aimed at improving users’ web security protection. However, some are primarily attack tools providing framework for conducting brute-force attacks, DDoS attacks and phishing, among other malicious activities. Furthermore, many of the ‘tamer’ tools presented in the original post, such as vulnerability scanners, penetration testing or intelligence collection tools, can be used by threat actors to detect vulnerabilities among potential victims. That point is also stressed in the description of tools inside the post, which implies the potential use of basically defensive tools as attack accessories. Although many of the non-Chinese and a few of the Chinese tools listed in the post are slightly outdated, and were originally uploaded to GitHub or other platforms well before 2019, the post demonstrates that some members of the Chinese hacking community are well-versed in the hacking world outside China and make use of platforms and tools published abroad. Moreover, a fair amount of the original Chinese tools listed in the post were also uploaded to GitHub, a non-Chinese platform, which may imply an outbound approach of some members in the Chinese web security and hacking community.

GodOfHacker – The #1 Chinese Magic Hacking Tool

Of the original Chinese tools listed, the one that grabbed the number one ranking (and third overall) is a tool named GodOfHacker. This tool was uploaded to GitHub about a year ago by a Chinese prolific user, who frequently uses slang and curse words to describe his creation’s traits. Both in the forum post and on GitHub, the program is portrayed as an all-purpose “magic-tool” for hackers, which “combines all sorts of first-class hacking techniques that cover a wide range of functions.” Its uniqueness is that all its features are available using “one-click.” The program is described as highly customized and one that possesses various powerful plug-ins that can be used to “enrich” its functions .

GodOfHacker

Screenshot of the 1st section of the program “the comprehensive section for fucking websites”

The program is divided into several sections or columns, each with numerous features. The first section is called “Comprehensive Section for Harming [or, using the original word “fucking”] Websites”, and its features are as follows, to name a few:

  • Performing one-click attacks or one-click zero-day attacks based on domain names or IP defined by the attacker.
  • Carrying out one-click attacks by choosing a specific vulnerability defined by the attacker.
  • Defacement, DDoS, knocking down websites’ backend, gaining full admin rights and implanting Trojans, all by one-click.
  • Knocking down batches of web pages on either Baidu or Google, getting free access online.
  • Stealing QQ accounts/numbers, using QQ virtual coins, using [website] membership rights, making free phone calls and charging phone/SIM cards.
  • Gaining access to intranets, surpassing the Great Firewall of China (the Chinese government’s Internet censorship tool), gaining access to gambling arenas in Macao and an IP location finder.
  • Damaging educational systems, “mining” for vulnerabilities, publishing vulnerabilities, reading internal memory, all be one-click.

The second section is called “Cracking” and features the following functions:

  • One-click cracking and source-code reversing based on file type.
  • One-click code annotation (AI), system activation, system penetration and POC generator (for penetration testing purposes).
  • One-click mobile application cracking, gaming and localization [into Chinese].

The third section features several functions related to Hacker CTF (“Capture the Flag”), a game designed to provide a tutorial environment for students of hacking techniques. The fourth section provides features related to WiFi, including one-click WiFi scraping, WiFi middle-man attacks and access to mobile devices’ picture galleries. In addition, this section also has features such as one-click fake-base station [FBS] attacks (where devices connected to a cellular network are made to connect to it to gather information from those devices), WiFi eavesdropping and WiFi phishing. The fifth section, named “Hardware,” features functions such as harming ATMs, harming unmanned machines, stealing bank cards and charging them and other types of cards.

The tool contains several plug-ins (including using txt and exe files as plug-ins) and supports various languages, such as C/C++, Java, Python, Ruby, JavaScript, php and more.

GodOfHacker-2

The plug-in section of the program, showing how a certain IP address is entered by the user and then given the option to conduct tests in English, Chinese or Japanese or to perform brute-force attacks against the site’s backend

The Top 20 Vulnerabilities to Patch before 2020

Published first in Dark Reading by Kelly Sheridan.

In an ideal world, organizations would patch every new vulnerability once it’s discovered. In real-life, this is impossible. Security analysts responsible for vulnerability management activities face multiple challenges that result in what the industry calls “The Patching Paradox” – common sense tells you to keep every system up to date in order to be protected, but this is not possible due to limited resources, existence of legacy systems and slow implementation of patches.

Verint’s Cyber Threat Intelligence (CTI) Group analyzed the top 20 vulnerabilities that are currently exploited by attack groups worldwide. The goal of this analysis is to provide security professionals with an incentive to improve their patching management activities.

Key Findings:

  • 34% of the attacks exploiting these vulnerabilities, originated in China
  • 45% of the vulnerabilities affect Microsoft products
  • Vulnerabilities from as early as 2012 (!) are still used to carry out successful attacks

According to the National Vulnerability Database (NVD), since 2016 we have seen an increase of ~130% in the number of disclosed vulnerabilities, or in other words there is an average of ~45 new vulnerabilities per day as can be seen in the graph below. Additional statistics reveal that almost 60% of all vulnerabilities are classified as ‘Critical’ or ‘High’.

NVD_data

Recent threat intelligence gathered by Verint and Thales Group about 66 attack groups operating globally, revealed that advanced threat actors leverage old vulnerabilities that are left unpatched. To make things even more complicated, according to a recent study by Ponemon Institute for ServiceNow60% of breaches were linked to a vulnerability where a patch was available, but not applied.

So, How Can We Clean Up The Mess?

Operational Threat Intelligence – Each CVE is given a severity score. However, these scores do not necessarily represent the actual risk for the organization. For example, CVE-2018-20250 (WinRAR vulnerability) has a CVSS (Common Vulnerability Scoring System) base score of 7.8 (‘High’) in NVD and 6.8 (‘Medium’) in ‘CVE Details’. This vulnerability has been exploited by at least five different APT groups, from different locations, against targets in the U.S., South East Asia, Europe, and The Middle East and against a wide range of industries, including Government Agencies, Financial Services, Defense, Energy, Media and more. This information clearly indicates the criticality of the vulnerability and the urgency for immediate patching.

Other contextual data that should influence your patching prioritization process is what vulnerabilities are currently discussed in the Dark Web by threat actors, or which exploits are currently developed? Threat intelligence is key when we try to determine what vulnerabilities are critical to our organization. Maintaining a knowledge base of exploited vulnerabilities according to the attack groups leveraging them, provides a solid starting point for vulnerability prioritization. In addition, having information about the attack groups – for example their capabilities, TTPs and the industries and countries they target – helps to better evaluate the risk and prioritize patching activities.

The Top 20 Vulnerabilities to Patch Now

Verint’s CTI Group constantly monitors different intelligence data sources and create daily CTI feeds, which include the latest daily cyber activities. The analysis below is based on over 5,300 feeds and other intelligence items the group has analyzed in the past 2.5 years, covering over 800 CVEs.

The 20 vulnerabilities were extracted based on the number of times they have been exploited by sophisticated cyber-attack groups operating in the world today (from high to low):

No. CVE Products Affected by CVE CVSS Score (NVD) First-Last Seen (#Days) Examples of Threat Actors
1 CVE-2017-11882 Microsoft Office 7.8 713 APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), Cloud Atlas (Unknown), FIN7 (Russia)
2 CVE-2018-8174 Microsoft Windows 7.5 558 Silent Group (Russia), Dark Hotel APT (North Korea)
3 CVE-2017-0199 Microsoft Office, Windows 7.8 960 APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran)
4 CVE-2018-4878 Adobe Flash Player, Red Hat Enterprise Linux 9.8 637 APT37 (North Korea), Lazarus Group (North Korea)
5 CVE-2017-10271 Oracle WebLogic Server 7.5 578 Rocke Gang (Chinese Cybercrime)
6 CVE-2019-0708 Microsoft Windows 9.8 175 Kelvin SecTeam (Venezuela, Colombia, Peru)
7 CVE-2017-5638 Apache Struts 10 864 Lazarus Group (North Korea)
8 CVE-2017-5715 ARM, Intel 5.6 424 Unknown
9 CVE-2017-8759 Microsoft .net Framework 7.8 671 APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China)
10 CVE-2018-20250 RARLAB WinRAR 7.8 189 APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran)
11 CVE-2018-7600 Debian, Drupal 9.8 557 Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran)
12 CVE-2018-10561 DASAN Networks 9.8 385 Kelvin SecTeam (Venezuela, Colombia, Peru)
13 CVE-2017-17215 Huawei 8.8 590 ‘Anarchy’ (Unknown)
14 CVE-2012-0158 Microsoft N/A; 9.3 (according to cvedetails.com) 2690 APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Cloud Atlas (Unknown), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China)
15 CVE-2014-8361 D-Link, Realtek N/A; 10 (according to cvedetails.com) 1644 ‘Anarchy’ (Unknown)
16 CVE-2017-8570 Microsoft Office 7.8 552 APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China)
17 CVE-2018-0802 Microsoft Office 7.8 574 Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China)
18 CVE-2017-0143 Microsoft SMB 8.1 959 APT3 (China), Calypso (China)
19 CVE-2018-12130 Fedora 5.6 167 Iron Tiger (China), APT3 (China), Calypso (China)
20 CVE-2019-2725 Oracle WebLogic Server 9.8 144 Panda (China)
BONUS CVE-2019-3396 Atlassian Confluence 9.8 204 APT41 (China), Rocke Gang (Chinese Cybercrime)

The Ultimate Threat Actor Landscape – Highlights and Key Findings from The Cyber Threat Actor Handbook

Verint and Thales have recently released The Cyber Threat Actor Handbook – a comprehensive analysis of the most prominent threat actors operating in the world today.

This research is a knowledge-based operational tool for security analysts, to better understand the relevancy and risk posed by different threat actors operating globally. Each threat actor has a score, and all profiles are aligned with the MITRE ATT&CK framework and include:

  • A brief description of the threat actor and its aliases
  • Associated malware campaigns, attack vectors and TTPs
  • Most used exploits and CVEs
  • Motivation and objectives (Nation-State, Cybercrime, Hacktivism, Cyber-Terrorism)
  • Targeted sectors and geographical areas

Based on the handbook, Verint’s Cyber Threat Intelligence group has created The Ultimate Threat Actor Landscape report, which highlights the key findings from the Cyber Threat Actor Handbook.

In this blog post we present some of the key findings of the report, which is based on a thorough analysis of:

  • 490 Attack Campaigns
  • 66 Attack Groups
  • 525 Attack Tools
  • 173 MITRE Techniques
  • 98 CVEs

Who’s Behind The Attacks?

Who's behind the attacks

Inside the report we dive deep into who is behind the attacks and reveal detailed analysis of each threat actor, including the attacker’s origin, motives, attack techniques, campaigns, CVEs, tools used and more.

Where Do Threat Actors Find Us Vulnerable?

find us vulnerable

The Most Exploited CVEs

Organizations tend to procrastinate, when it comes to updating systems, even critical ones. In the report, we reveal the threat actors’ most exploited CVEs. Leveraging threat intelligence for vulnerability prioritization is key for reducing risk.

most exploited

A combination of underestimation of the risks and the required resources, are the main contributors to the slow implementation of patches (also known as the ‘Patching Paradox’).

Threat Intelligence regarding the exploitation of disclosed vulnerabilities (in 2018 alone, 16,514 vulnerabilities were disclosed), helps answer questions such as: What vulnerabilities are currently discussed and perceived as easier to exploit? Which exploits are currently developed and traded on underground sources? and Which zero-day vulnerabilities are circulating in hacking communities? The answers will help prioritize patch installation and vulnerability fixes.
Look out for our upcoming report, where we list the top 20 vulnerabilities to patch before 2020.

Which Countries Are Being Targeted?

The following map indicates the most targeted countries:

targeted countries

Which Industries Are The Most Threatened?

The following statistics indicate the most targeted sectors – based on 66 attack groups

targeted industries

Top Used Techniques (Based On The MITRE ATT&CK Framework)

Mitre attack

To Summarize…

There is a connecting line between threat intelligence about attack groups with cyber resilience, and it goes through vigorous threat actor profiling and clustering, threat hunting and accurate scoping of threats and risks.

This type of strategic and operational intelligence gives the bigger picture, looking at how threats and attack groups are changing over time. With such intelligence, you can find the answers to questions such as, who is attacking my organization, my industry, my region and why? The answers will provide clues to future operations and tactics of potential threat actors.

A single knowledge base with a contextualized analysis of all the major parameters and distinctions that define the threat actors, their motives and objectives, their targets and their modes of operation, and their technical skills, as part of an ongoing profiling process, is an essential tool for any cyber threat intelligence operation. Given the knowledge and the operational value derived from contextual analysis of threat actors’ activities and contextual-based profiling, security teams can substantially improve investigation processes and enhance the overall security resilience, with much more accurate threat hunting and risk scoping.
As security and intelligence professionals we must remember that raw data only becomes valuable once it is analyzed, to deliver targeted, context-based, actionable intelligence, according to the organization’s needs and assets, industry, location and more.

Download the Full Report Here

THE CYBERTHREAT HANDBOOK: THALES AND VERINT RELEASE THEIR “WHO’S WHO” OF CYBERATTACKERS

ThreatActorHandbook

PARIS LA DÉFENSE–(BUSINESS WIRE)–Powered by the cutting-edge technologies and products of Thales and Verint, the two companies are pleased to present The Cyberthreat Handbook, a report of unprecedented scope designed to provide a classification and basis for further investigation of major groups of cyberattackers, including cybercriminals, cyberterrorists, hacktivist groups and state-sponsored hackers. As part of the strategic partnership to create a comprehensive, state-of-the art Cyber Threat Intelligence technologies, threat intelligence analysts from Thales and Verint have worked together to provide this unique 360° view of the cyberthreat landscape, with detailed descriptions of the activities of about sixty particularly significant groups, including their tactics and techniques, their motives and the sectors targeted from analysis of multiple data sources such as web and threat intelligence.

Read the full Press Release here.

Download the report here.

ARABIC-SPEAKING THREAT ACTOR RECYCLES THE SOURCE CODE OF POPULAR RAT SPYNOTE AND SELLS IT IN THE DARK WEB, AS NEW

At the beginning of July 2019, we detected that a threat actor dubbed mobeebom created a sales thread for his Android Remote Administration Tool (RAT) MobiHok v4, on a prominent English hacking forum.

A quick research revealed that mobeebom is active on multiple Arab-speaking hacking forums under different pseudonyms, which led us to assess, with high confidence that he is an Arab-speaker. The use of poor English in his posts reinforced this assessment. His activity on the prominent English hacking forum we monitor sparked our curiosity and we decided to take a closer look.

NEW ANDROID RAT?

MobiHok is a RAT coded in Visual Basic .NET and Android Studio, which enables full control, with extensive capabilities over the infected device. This latest release of the malware presents new features, such as a bypass to the Facebook authentication mechanism.[1]

The declared intention of the threat actor is to position MobiHok as the top Android RAT on the market. However, from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016.[2] 

The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok.

Screenshot of MobiHok’s sales thread

A DEEPER DIVE INTO MOBIHOK V4

The threat actor has been promoting the malware on multiple outlets (including on a dedicated Facebook page and a YouTube channel),[3] since January 2019.

Screenshot of MobiHok sales post from an Arabic hacking forum
MobiHok’s dedicated Facebook page

Mobeebom also runs a website, on which it is possible to purchase the RAT in a variety of options, including the possibility to acquire the entire source code for US$ 15,000. According to the screenshots displayed on the website, the malware features the following capabilities:

  • Control of the files
  • Control of the camera
  • Keylogging
  • Control of the SMS
  • Control of the contacts
  • Control of the apps
  • Control of the account/phone settings
  • Terminal
  • Bypass of Samsung security mechanisms
  • Bypass of Google Play security mechanisms
  • No “rooted” device required
  • The RAT can be bind to another APK app

To conclude, despite mobeebom’s attempt to market his MobiHok v4 Android RAT as new and his declared intention to make it the top Android RAT on the market, it appears that this malware is based on the leaked source code of the known SpyNote Android RAT with only minor changes and is being reselled by the threat actor under a different name.

 

THE DATA BREACH EPIDEMIC – KEY FINDINGS FROM VERINT’S COMPREHENSIVE CTI REPORT

In the past few years we have witnessed a growing number of significant data breaches.

The Data Breach Epidemic Report reviews the most significant data breaches that occurred in 2018 and provides our analysis of the major data leaks. It also includes key trends we identified based on ~5B leaked records detected and analyzed by our team.

KEY FINDINGS:

  1. 4,812,840,627 – Total Leaked Records In 2018
  2. 1,925,136,251 – Unique Records
  3. 24,224,940 – Organizations
  4. 53% of all leaked data comes from .com domains
  5. Distribution of “Combo Lists” is the key trend in the 2018 data leaks
  6. Leaked records by region:
  • APAC – 1.5B records
  • EMEA – 728M records
  • LATAM – 34M records
Many “Combo Lists” published in 2018 targeted specific regions, indicating leading interests of hackers’ groups

THE ANALYSIS PROCESS

In order to identify and analyze the major breaches of 2018, our analysts have been continuously monitoring activities on the Dark Web, in closed hacking communities and in other sources, to uncover indicators of breaches and data leaks.

In the report you will find a summary of the most popular ways hackers use to exploit stolen data, with real-life examples of attacks that exploited leaked records.

Want to know more? Download the report here

SOME LEAKS ARE MORE VALUABLE THAN OTHERS

Based on our analysis of the leaked data we obtained from several underground sources, we were able to identify several key trends, for example, the increasing distribution of “Combo Lists”, the demand for region specific leaks and countries that had most government data leaked.

ANALYSIS OF EXPLOITATION METHODS

The report also shares the hackers’ perspective, reviewing the most popular ways hackers use to exploit leaked data. These include credential stuffing attacks, brute force attacks, social engineering and email based-attacks. This information is valuable as it can really help organizations prioritize risk and improve their resilience and readiness against these attack methods.

THE BIGGEST DATA BREACHES OF 2018

In the report, you will find the list of the most prominent data breaches that occurred in 2018, and what we can learn from the millions of compromised records and stolen data.

Download the Full Report Here

The Awakening of PoS Malware (or, Has It Really Been Dormant?)

The peak of activity of Point-of-Sale (PoS) malware was in late 2013 (with the disclosure of the notorious Target breach), and over the course of 2014, when we witnessed the development and trade of new PoS malware strains. The vigorous discussions on hacking communities at the time, has led hackers to believe PoS malware would ensure them an easy profit. However, as time passed, Continue reading “The Awakening of PoS Malware (or, Has It Really Been Dormant?)”

A New Darknet Platform Publishes a Huge Amount of Data, from Around the World

In the past few months, an alleged group of transparency advocates, headed by activist Emma Best (@NatSecGeek), created an online repository of leaked data similar to WikiLeaks, named “Distributed Denial of Secrets” (@DDoSecrets).

Our initial examination revealed that the repository includes a great volume of data aggregated from past leaks, but also several new ones. The data is extremely diverse and consists of documents, hacked emails, leaked credentials, and other data, which has been leaked over the years, by a variety of actors (hacktivists, APTs, etc).

The platform was established in late 2018 and became public on Continue reading “A New Darknet Platform Publishes a Huge Amount of Data, from Around the World”

What will The Dark Overlord Do Next – a CTI Assessment

On December 31, 2018, a cybercrime group going by the handle The Dark Overlord (hereafter TDO) claimed he had hacked an unnamed company, and exfiltrated a large volume of sensitive documents related to the 9/11 terror attacks-related lawsuits. TDOaims to extort the impacted organizations into paying a Bitcoin ransom and he already published batches of the leakage after creating a public auction system, where anyone can contribute Bitcoins to unlock new documents. Continue reading “What will The Dark Overlord Do Next – a CTI Assessment”

Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches

In recent weeks, we have identified a growing awareness on Chinese security blogs and mainstream media, to the existence of the Darknet, and the activities of Chinese users on its platforms. The focus is mostly on the sale of leaked data, mainly of Chinese citizens. One of these leaks pertained to the Huazhu hotel group, and was one of two major data breaches that occurred simultaneously in China, raising awareness to this issue. The second breach was the database of SF Express, a delivery service company based in Shenzhen, Guangdong Province. Continue reading “Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches”