Red team tool developer slams ‘irresponsible’ disclosure –

Maksim Kabakou –
UK cyber security consultancy and penetration testing specialist MDSec has defended its commercial Nighthawk framework and criticised what it described as an “irresponsible” disclosure after researchers at Proofpoint warned that the tool risks being co-opted into widespread use in the cyber criminal underground, as happened with Cobalt Strike and others, such as Sliver and Brute Ratel.
Like Cobalt Strike, Nighthawk is a legitimate command and control (C2) framework used for red team penetration testing, and is sold through commercial licensing.
It was developed in-house at Cheshire-based MDSec, which is accredited through the UK government’s CESG technical authority to offer cyber services to government bodies, and holds numerous other badges from the likes of Crest and the National Cyber Security Centre.
MDSec released Nighthawk in 2021, describing it as “the most advanced and evasive C2 framework available on the market…a highly malleable implant designed to circumvent and evade the modern security controls often seen in mature, highly monitored environments”.
However, Proofpoint says that in September 2022, its systems spotted initial delivery of the Nighthawk framework as a remote access trojan (RAT). Its systems caught several test emails being sent with generic subject lines including “Just checking in” and “Hope this works2”, containing links that, when clicked, led to an ISO file containing the Nighthawk loader payload as an executable.
It said this distribution of Nighthawk appears to have taken place as part of a genuine red teaming exercise and the emails and links within them only had the appearance of being malicious.
Proofpoint further stressed that it has not become aware of any leaked version of Nighthawk being adopted by any attributed threat actors, but said it would be “incorrect and dangerous” to assume it would not be appropriated as such.
“Detection vendors in particular should ensure proper coverage of this tool as cracked versions of effective and flexible post-exploitation frameworks can show up in the dark corners of the internet when either threat actors are looking for a novel tool or the tool has reached a certain prevalence,” the team said.
There are many reasons why threat actors appropriate legitimate tools into their arsenals. They can make it harder for defenders or researchers to attribute clusters of activity, and will usually contain specific features, such as endpoint detection evasion. In Nighthawk’s case, the researchers believe it is the product’s advanced capabilities, particularly its extensive list of configurable evasion techniques, that may make it exceptionally attractive to malicious actors going forward.
“Legitimate tools, like the Nighthawk penetration testing framework, are an all-time favourite of threat actors of varying skill levels and motivations,” said Sherrod DeGrippo, Proofpoint vice-president of threat research and detection.
“They can complicate attribution, make evading endpoint detection easier, and all around make security researchers’ jobs more difficult than they already are. The greater community needs every advantage it can get to prepare for the next potential threat and that means diving deep on even those tools that are created with the best of intentions.”
MDSec director Dominic Chell told Computer Weekly: “We are not aware of any instances of Nighthawk being used for illegitimate activity, nor has any evidence been produced to support this theory. We take our role as an exporter of intrusion software very seriously and apply rigorous vetting to any company wishing to purchase the software.”
Computer Weekly further understands that MDSec has a number of measures in place to control distribution and track how and where the Nighthawk framework is being used, although full technical details of these cannot be disclosed for security reasons.
Some of the non-technical vetting procedures include a multi-seat licensing requirement, to put it out of the reach of individuals, contractors or single-operator red teams, and an outright ban on self-hosted trial licences, as other similar products have wound up being exposed through such trials.
Where it does export, the company exports in accordance with the government’s Open General Exports Licence (OGEL), which governs the export of controlled goods on a list of strategic and military items – Nighthawk falls into the “military and dual use” category – that require authorisation.
It is licensed to distribute Nighthawk in the European Union, Australia, Canada, Japan, New Zealand, Norway, Switzerland, Liechtenstein and the US. In a blog post, MDSec said it had rejected many more approaches to buy Nighthawk than it had approved.
MDSec said it was not approached in advance of Proofpoint’s advisory being made public, nor was it asked to confirm the legitimacy of the activity that the supplier’s monitoring picked up. The firm described Proofpoint’s documentation of a number of unpublished EDR bypass techniques as “irresponsible”, saying that this information could now be exploited by threat actors.
The company urged any security suppliers wanting to confirm the legitimacy of Nighthawk activity they may observe in their telemetry to contact it directly.
The potential for metaverse projects exist across a range use cases. Here are enterprise-focused and consumer-focused examples …
Bayer global head of compliance and data privacy Thomas Pfennig discusses LPC Express, an automation project for law, patents and…
It’s early days for metaverse platforms, especially those geared for the enterprise. Here’s what to know and which platforms to …
Threat actors with the Black Basta ransomware-as-a-service group are compromising networks in as little as one hour and stealing …
Google’s YARA rules detect cracked versions of Cobalt Strike’s older releases so that legitimate instances of the red teaming …
As the metaverse takes shape, companies must consider a slew of new cybersecurity challenges and how to deal with them.
Apple, T-Mobile and others are kicking off early satellite communications projects. Direct satellite communications should become…
Cisco’s shake-up will affect about 4,000 workers as the company doubles down on security, enterprise networking and its platform …
Enterprises can use CBRS spectrum to deploy private cellular networks that offer reliable and predictable coverage. Learn about …
HPE rolls out lower-cost supercomputers designed to handle complex AI-based workloads. Dell looks to meet its longtime rival in …
Powered by AMD’s EPYC processor, Dell’s latest generation of PowerEdge servers is twice as fast as the previous generation, with …
VXLANs add network isolation and enable organizations to scale data center networks more efficiently. Consider VXLANs to expand a…
Learn about six data observability open source options helping organizations pursue data science experiments that are more …
Multi-environment cluster synchronization lands in Alluxio platform to give organizations a single view of data across multiple …
Enabling hybrid deployments that span the cloud and on-premises is the key goal for Microsoft’s latest update of its 33-year-old …
All Rights Reserved, Copyright 2000 – 2022, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page