Publicly Available Tools Seen in Cyber Incidents Worldwide
This collaborative report by cybersecurity authorities from Australia, Canada, New Zealand, the United Kingdom, and the United States addresses the malicious use of five widespread, publicly available cybersecurity tools. The report highlights JBiFrost, a Remote Access Trojan; China Chopper, a webshell; Mimikatz, a credential stealer; PowerShell Empire, a lateral movement framework; and HUC Packet Transmitter for C2 obfuscation. These tools, despite being publicly available, have been leveraged by various threat actors, ranging from amateur cyber criminals to state-sponsored groups, to compromise critical sectors like health, finance, government, and defense. The widespread availability of these established tools complicates network defense and threat-actor attribution, as even sophisticated threat actors frequently rely on them after initial system compromises. Initial breaches often occur by exploiting common security weaknesses like unpatched software or misconfigured systems, after which these five tools are deployed to achieve further objectives. The report aims to assist network defenders and system administrators by providing technical details on each tool, including their capabilities, typical uses, and examples of deployment in recent cyber incidents. Crucially, the document offers specific advice and general best practices for detecting the presence of these tools on a network and limiting their effectiveness. For instance, strong patching policies, application allow listing, and monitoring suspicious network patterns are emphasized as essential defenses. This guidance underscores the importance of robust network defense practices against both existing and evolving cyber threats.