Stephen Hilt - From Guardian to Threat: The Double Life of Security Tools

Hey, thanks for uh showing up here at 3 PM. Uh as Adrian mentioned, I'm Stephen Hilts. Uh and this is a talk into diving into open source red teaming tools and how uh new method some new methodologies that we could potentially utilize to evaluate and defend and protect against uh open source red teaming tools as criminals and nation states are increasingly use them. So today we're going to talk about what is red teaming because I'm not sure everybody in the room knows. Uh what tools are being used and some case studies of criminals and APS using them. Uh proactive versus reactive approaches to dealing with red teaming tools. Um who is the red who who

uh something I like to say is who red teams the red team and also everyone's on the same team. So, this isn't a bash for any of the red team, blue team, purple team, white team, orange team, green team, um, lavender, I don't know. Um, who in here is a red teamer? Okay, thank you. Jeez. Uh, anybody in here, uh, solely on defense? All right, cool. Um, does anybody not know what a red team is? So, a red team is a group usually either depending on the size of your organization, it's either an internal team or a hired consultant, they sim simulate adversarial threats and to test organizational defenses. Uh, their job is to challenge all the assumptions,

identify vulnerabilities and expose gaps. uh insecurity and the decision-making processes as well. Red teams can conduct physical or digital intrusions uh often without alerting employees and that's the big difference on red teaming versus uh pin testing is usually a lot of pin tests tend to be more informed. Somebody in the organization knows about it. That's usually on the defense side. Um though their actions might seem deceptive on the surf surface, red teams uh are operating with the full authorization of the organization's leadership. Uh and it's usually entirely legal. Their findings are used to strengthen the organizational def overall resilience. Uh the concept of red teaming comes from the US military in the 1960s uh where they were designed to evaluate

strategies by simulating Soviet threats. Once uh one of the early adopters of formal red teaming uh came up with that. Uh it was actually the RAN corporation going against uh the Pentagon strategies. Today red teaming isn't just limited to that but um cyber security uh is also involved. They also use red teaming for emergency planning and you know other things like that as well. So as I said here I am I usually work on the defense. I work for a company that's more on the defense even though we do have services into red teaming. So what do I have to say about red teaming? Uh well I wrote books and I'm mentioned in red tribe hacker red teams. I have a

chapter, it's chapter 26 on that and I'm a co-author of industrial control systems hacking exposed. So for a long time I was more on the offensive side um and I worked more or less as a pin tester for industrial control systems. Kind of came up with some of the blueprints on how that's all working. Um I've authored offensive tools. You can go find them on various places uh throughout the internet. Most of them are for targeting control systems. Um but what I've noticed recently is that there's an uptake in criminals and nation states using open source tools to attack uh targets around the world. One of the things when you're trying to find uh red teamming tools, people really

love to know that they put this phrase uh up here on GitHub. I searched for educational purposes. Um, people feel like that gets them that's their get out of jail free card. But what you can see here is I searched that and there is 28,000 over 28,000 results. Uh, for what it's worth, when we released this research last year, uh, I did the same search and it was just over 19,000. So in one year we've added 9,000 projects that have for educational purposes inside in the terminology. While some of these have intent no while some of these have intended malicious purposes. Uh it just shows you that and some are not. uh you can see on this screen here

um brings standard libs and other programming languages to JavaScript for educational purposes. Highly likely not a malicious package meant for red teaming or pent testing. So which one of these are out of these 28,000 how how do we even know what to start looking at? How do we triage this? How do we start making detections for this and how do we go on? Um so let's look at some of these projects. Uh while uh some of these projects that criminal cyber criminals and even nation states are utilizing today uh while many of the tools that are being published seem to be innocent like this cat uh they can be used by criminals and abused uh even with supply

chain attacks and we'll have some case studies on that. Uh this is one reason why we should ensure that our red teams are doing and understanding their jobs and also cleaning up afterwards. And I'll show you some examples of uh you know you should come up with really good plans for everyone to clean up everything you've done. Uh we all know Cobalt Strike. We all know that it got cracked and all the criminals started using it. Then we wrote a lot of good detections and it's very hard uh hard harder for them to use it. Um so like everyone did a really quick catchup and so that they moved into other tools and among these were

brute retell and sliver and those were growing in popularity a year ago and they've moved on to other things as well. So, this presentation is going to provide defenders and sock uh socks with the technical details uh and tools that they you're likely going to encounter as well. Uh one down there on the bottom in the left hand, we'll talk about Deemos C2 in a little bit. Actually, we'll talk about right now. So, Dimma C2, I wrote this um blog because we were tipped off to a nation state actor that may have been using this um couldn't confirm it or so I can't tell you exactly which one it was u but demo C2 was be being used by a uh nation

state. So, we started looking into it and it kind of was already doing this project. So this was something that made me realize we need to do more into this and look harder into it and find this before things like this nation state moved from building their own C2s to using open source ones. Uh to date there's conversations in the underground about moving to different C2s, talking about C2s and things like that. Um but attackers are choosing these. They have conversations and cyber criminals are having conversations on which ones that are better, which ones that they should be using. Uh so other tools that they're mentioning and discussing are posh C2, PHP, spoit, Merlin. Uh similar to red

teamers, cyber criminals like to use a mix of command line and guey based uh C2 frameworks uh depending on their pref preferences. Uh they also like them to be easy to build and maintain and operate. Uh we did find some uh as the screenshot shows uh Demo C2 appearing uh as a recommended uh alternative to Cobalt Strike in Russian speaking forums. Does everybody know what business email compromise is? Okay. So it poses a significant uh problem. I think in the last 10 years it's been estimated that it cost $55 billion. Uh BEC scammers utilize stolen accounts uh from legitimate uh SMTP services to bypass email filters uh enhancing the credibility for their emails to get into the inboxes.

In 2022, uh we found and discovered a new potential BEC campaign uh that had been running. So we found it in September. It had been running since April uh targeting large global companies uh spear fishing attacks with fraud fraudulent fishing cam Microsoft fishing campaign. Uh the attack involved using offuscated JavaScript code and then the use of a cyber criminal tool called badexbot and then uh they were using evil genix 2 a as well. So here's the blog on that. The attackers leverage badexbot and evil genix 2 to stage their attacks. Um the payloads in the email were offuscated JavaScript. Uh typical typical BEC targets campaign include executives and finances. Uh departments in companies with substantial annual

revenue regular employee training and monitoring again is pretty much what we've been doing. Um so going through some of the tools this is an open source tool called the JavaScript auscator. Has anybody used this before? Uh, it's really good. Offuscates your JavaScript to making it nearly depending up which options you check, it makes it nearly impossible to deaf skate. Uh, so you have to go through the tools and step through uh all the ability to understand what's actually happening. Um, so it's really really hard to deoffate. Um, very popular tool. There is online dafu skaters that actually work a little bit now, but when this first came out, it was a freefor-all. So again, we're

talking in 2025, about 2022, and we're just now at a place where we can say they're doing better at deoffuscating this. Uh, Evil GenX 2 uh is a fishing framework. Um, many of the fishing as a service toolkits are actually using Evil GenX 2 as the backend. Well, it's Evil GenX 3 now, but they're using Evil Genics as the back end. Um, so it's very common. Criminals are using this. It's quite problematic. Um, but don't worry everybody. They have a disclaimer that even though they know it can be used for nefarious purposes. It's definitely for educational purposes and shouldn't be used by criminals that because criminals follow nice guidelines like that, right? Like please don't use

my stuff criminals. I know you can use it. So that doesn't work. Um so this is just one example. Uh here more recently uh this is off also a off auscated JavaScript file. Uh so more recently as in last few years uh but we had a blog come out on this three weeks ago now. More recently the North Koreans have made fake job sk uh schemes. I think there was a talk on deep fakes in the other track uh specifically mentioning North Korean attacks. Um they make fake jobs. They post them on LinkedIn. They lure people to a job interview. Uh during this process, you'll download a GitHub project and run it. Here's a here is the an example of one of those.

It's embedded in uh a tool. It's uh phaser.js. I've seen it in error.js. JS there. This one's more blatant as it's just the offiscated JavaScript. That's the thing. This entire file is um you come back to where the phaser.js is actually being called. It's all wrapped in an eval uh within another one of the JavaScripts. um they're hiding JavaScript this JavaScript elsewhere through API calls and hiding it in uh like it looks like it's downloading a cookie and then it breaks apart that cookie inside that cookie is offiscated JavaScript that's B64 and then they piece it back together. It's becoming more and more difficult to detect um even from a glance over the code. uh you know as you get these projects

how many people are reading through every line of code before they run it because you're in the middle in the middle of the technical interview and somebody on the other side is telling you to run it prove that you fixed whatever the minor problem was uh that they wanted you to fix. Hands up. How many people reading every line of code through a job interview? Okay, there was no hands. Uh, so this is a personal thing for me because it really bothers me that um this is they're taking advantage of a a workforce that is actively looking for jobs. Um they are specifically targeting web 3 developers because they're trying to steal crypto. Uh but they do more

than just steal crypto. They steal everything from the computer. Uh it siphons, they pull the data off. If you have a resume on your computer, they love that because they're going to start applying as on jobs as you uh and if you have pictures and things like that, they love to make deep fakes of you. So, just be careful out there. So, North Korean thread actors are leveraging also it uh Russian IT infrastructure to facilitate this crime and that's kind of what our blog is about. Um, but they're using Offuscator, the the JavaScript Offuscator, uh, the open source one to make that. So, that was, you know, we've been ignoring it. 2022, we said this is a problem. We kept

going. It's become bigger of a problem to where now they're ste you're stealing your crypto to finance uh, nation state activities. Russia or North Korea loves to steal money to further their uh nuclear uh nuclear weapons development. So there that's who's behind and this is who to fund those nuclear weapons. Uh they're they're using office JavaScript offuscator uh pydp has anybody ever used this? So, PY RDP is an open- source man-in-the-middle uh tool uh developed by Go Secure that allows red teamers and researchers to analyze and interact with RDP uh sessions in in real time. So, it can intercept RDP traffic, capture credentials, hijack sessions, monitor clipboard and file system activities, and then record session data

uh for analysis. It acts as a proxy between the target and the legitimate RDP server. Uh and PI RDP logs critical information like usernames and passwords. Uh while built with ethical and pin built for ethical use in pin testing. Uh this also illustrates uh how similar tools can be leveraged by thread actors. You can imagine here. Uh so this is a blog that hypothesized is called Rogue RTP as by Black Hills. Uh that a the threat of a poorly secured RDP uh to show how easily attackers can gain access uh when organizations neglect to implement basic RDP hygiene. By using tools like showdown and mass scan acters can locate RDP servers, exploit the through brute force, things like that.

Um, so this is a really good blog. So what happened here is they hypothesize this attack where they send a fake RDP config file that points to their server that then points to the actual RDP server. and you would log in thinking that you just got something that uh to you know the person who fished you had a really good thing to tell you to go ahead and you need to use this RDP config file and then they would siphon all your data. So the really neat thing is PI RDP not only will it so it it'll attach remote drives based off the config file and then suck down all the the file system from the uh

from your computer as you attach to it. So here um this espionage campaign we uncovered Microsoft kind of uncovered this uh we put pieces of it together. Um so that's our name for AP29. Uh it's a cyber espionage you know AP29 who doesn't know about them. uh the group was using more or less this exact same described attack except for the one difference is they were launching a remote application on their own RDP server after it went through PI RDP. So what you would do is you would click on this thing that you it's one of the examples was AWS configuration test. You click on it and it would open up a window on their control box

that would have you interact with and say that you're doing what exactly was said in the email. What ended up happening is while you were doing that they were stealing data from your machine and this targeted of course NOS's and large government organizations. Um this is an example of a highly sophisticated uh nation state threat actor group utilizing an open-source red teaming tool. Uh this is one of the the the the newer slides or one of the newer blogs from trend as well. It's called crazy. Uh I don't remember a zamaside is an offensive offensive security tool designed to exploit misconfigured um instances of zammed a widely used open source health help desk ticketing system.

It leveraged uh ZAM and API to extract sensitive information such as tickets, attachments and internal communications which may be used um for other things as well. The uh it this tool shows the importance of securing lesser scrutinized business applications as well. Um, so that's what this tool is for is to help you gauge that risk, show you the vulnerability, show you that it existed. Um, does anybody know the term by OVD? It's a bring your own vulnerable driver. Just so if that ever comes up again. So, Crazy Hunter was a campaign that was uh a Chinese threat actor group targeting Taiwanese critical sectors. Uh, Crazy Hunter uh initially gained access through sophisticate uh it was a malicious RTF

document exploiting a Microsoft Office vulnerability. Once inside they deployed a custom loader and then C2 and all that fun stuff. One of the things from this blog from uh from us was really interesting was 80% of their toolkit was open source. So this is one of the largest numbers of how many tools um that we're seeing people utilize was upwards to 80% of what they're using is just purely straight open source tools you know and even AP41 was using GC2 uh to attack actors as well. So, so we have now North Korea, we have Russia, and we have China. The three major ones that we're all supposed to be worried about are using open source tooling uh

to to attack us. But, you know, it doesn't get better. So, here is uh Pipe packages that were targeting uh so malicious Pip using Wasp Stealer. So wasp stealer is an info stealer and somebody had gotten it into pipe packages uh just to siphon information. Then we also have uh so this is a p an example of uh a m a variant called uh of wasp steeler called satan stealer. Uh so Wasp Steeler is an open sourced uh stealer. Satan Stealer was a fork or a variant of Wasp Stealer. The only difference was this uh Satan Stealer would actually send the things everything it was stealing stealing back to another C2 as well. Uh not only to

the configurable one but the actors one as well. So this comes back to now now we have supply chain attacks where criminals are using known platforms changing them slightly making them look better and then going forward and uh trying to lure people into using them. Uh you can actually see here just a little bit uh of just the straight code copies. Uh we can look into virus total and see uh how many for different variants uh we were able to see by looking into um the actual strings of the file content. You can see that it's um wppp WP password um and things like that. The strings from the wasp dealer that people have compiled and changed.

So mutants are a thing we actually have to worry about. Uh do you really trust the code that somebody wrote in their spare time and that wasn't released or maintained by any companies really? There's nothing wrong with open source uh tooling and there's nothing wrong with people making it. The problem is we just have a information overload. Uh however should how much time should we be looking through going through all of this? And whose job is it to look through all this? Um, who is it to go whose job is it to go and look through all these packages even from a red teaming or a pin test? Do you ask your consultants, have they done code reviews

of everything they're about to deploy? And that's the real question. And that seems like a lot of work and nobody really wants to do that. Um because they could be using nonvulnerable uh packages. Um so I don't know if that's a mutant or it's Deadpool. Ron, you can let me know. Um so going to look through a case study of something we found while we were doing some of this work work. During our research, we came up with some categories to start looking at. I'll mention those in a little bit to see if there was any mentions in underground forums and things like that to see if we could come come up with some ideas of

how to better triage and evaluate these. Uh so we came across this project called HTML Smuggler. Who in here is familiar with uh GitHub, right? Most everyone is. Uh, does anybody ever pay attention to how many stars a project has or forks or things like that? So, the way I looked at it was the number of stars. It's like a star map guides you to where you should be looking and what it is I'm looking at. Turns out somebody else had already thought of this. It's a website called starchart.cc. You can actually look up over time the number of stars a project has had. Uh what's interesting is that in HTML Smuggler's case, uh the project grew in late August and

early September. But why why did that went from hardly any stars to a lot of stars? Well, around this time there was actually an article published um and and it's actually an article from a a security company uh where HTML smuggler is a tool designed to support red team operations by le leveraging techniques called HTML smuggling. I'm not going to get into what HTML smuggling is. uh red teamers can use tools like this to simulate sophisticated attacks. Uh what makes it particularly effective is the malicious code that isn't trans it's you know instead it's not transmitted over the full network. It's built up in the browser. Um, so to compare, so you saw a very big spike here

comparative to another project that just grew slowly over time. You can see that maybe we should have paid attention to HTML Smuggler when there was that initial talk, that initial spike and then start looking into it because of that. So, what I'm about ready to propose is that instead of being anti- red team, that we actually collaborate with the red team, they're trying to help us defenders with tools by releasing them because they're there. We should be paying attention to them. So, I know that's really hard to see, so I'll break it out into little chunks. Um, but this is more of a what we've mentioned everything up to this point in time as us being reactive. So, let's

take a little more of a proactive approach. We can also use AI to help automate some of this and provide intelligence with, you know, a little bit here and there and try to figure out how we can get down and windle down these number of projects. So, we start we have to define our categories. Then we use we search for those keywords. And if there was a result then for every project we do exclusion filters. We look at the star and fork popularity and then we search for the underground mentions. Uh this was an early diagram. Exclusion filters come later because exclusion filters is something I've done through AI and if you do it beforehand it gets

kind of expensive uh asking all those questions with the props. Then we decide whether there's a a detection internally to a trend. If not, then we go try to make a detection and then we just loop that back through for everything. So again, back to the 28 over 28,000s, how do we tackle that? Um, so one of the things I said we define our categories. So we look at these categories. We'll just take the MITER attack techniques. Uh, have that as the category name. The ones that are bolded are the our initial PC ones that we tried this with. Um, but this is our final categories that we came up with based off of that that we

were going to look into. Uh, there's other categories that we just from a PC or a network stance there's no you cannot detect it. Um, like fishing or not fishing, social engineering, I can't detect that. Um so if you want to look at that. Um so yeah the ones that we focused on initially were fishing kits, post exploitation frameworks, uh AV evasion and um there was another one slipping my mind. and it'll come up later. Uh so to make these list uh of things that we want to look at, there's a lot of tools. There's a lot of projects that are out there that list well-known red teaming tools. So we could go through all those

and do this again. But the problem with that is we should have already had a detection for it. I want to be more proactive and find the new one. Um but this is a really good resource. I don't know if anybody plays looks around with it, but there's a well-maintained list of every C2, whether it's cost, how if it's free, who actually evaluated it from this side, uh, and just kind of what it's written in, and just just kind of ranks them. So, I mentioned the exclusion filters. This is where we used AI. Um, so what we ended up doing is we use AI in this case. So I take the readme from the projects after I define those

categories and my search terms. The search terms I'm not going to show you. That's my secret sauce that we came up with. Um, but you can come up with your own. It's actually not that hard. It just took a lot of fine-tuning to make sure we're seeing the projects we wanted to see. So, as an example for fishing kits, what are the terms that you use uh to search for fishing kits inside of GitHub? Now, the problem with this is the term fishing kit can find the fishing kits, but also will find the tools to help you find fishing kits. So, one is nefarious, one is a helpful tool. So we can look at each project and read

its readme or I can dispatch AI on this. So that's what we do. We t pull in the readme, put it into AI, have a bunch of prompts that then ask and then finally we come and ask to a yes or no question. Can this be used for malicious purposes? And they yes or no. Um so then we would store that result as I mentioned. uh you can use star chart sheets CC or you can just we found out that that is actually just using GitHub's API and you cobble some pieces together and you can make your own star charts. Uh we were able to do that um and by redoing their code and after some

coding and changes what we were able to do is pull it from the the GitHub API to gauge if cyber criminals are chatting about this. Um we look at multiple sources. We look at uh X or Twitter and also cyber criminal forums. How you get this data is kind of up to you. Uh some have have in-house tooling to look for and monitor their own cyber criminal forum chats. Uh and also their services you can purchase and use their APIs. Uh, one thing we found was if you do plan to do this, you shouldn't search for the word fishing kit like as the project name because there's one out there that's like fishing hyphen kit.

Um, that terminology is fishing kit. Criminals are talking about fishing kits all the time, just not that one specifically. So, what we ended up doing was you search the the owner and then the repo with a slash. So that way then you can determine if they're pulling talking about that project itself. Um again we're we may be missing things but it's better than um where we were trying to just play whack-a-ole. So yeah so we ended up building our own in-house tool uh and this was just a proof of concept to see if this worked. We called it GitHub hunter. Uh then you can also deploy this with gitlab um bitbucket and other whatever the Chinese github is. I

don't remember its name. Um you can of course use this for other sites. So our our first categories we we investigated were po post exploitation fra uh frameworks credential to access a evasion and fishing kits. We started out with over a thousand projects just looking at after we did our searches and and just the search uh that have met the criteria that we wanted to defend against. After we looked at the stars and forks and underground chatter, we windled that over 1,000 down to 72 projects. Um what was interesting later on in the project we did came up with this idea that we would um create automatic reports as well. So there's this um GitHub or not chatgpt uh

uh tool called ask the code and you can actually literally just feed it a GitHub link and then ask a bunch of questions about the code itself. Um it's designed to help developers understand and navigate complex code bases by answering natural language questions about the code. Um, so we could ask a bunch of questions and we came up with a lot of prompts that then would turn around and make us a threat intelligence report about that project. Um, and then we could actually hand that over to a real analyst to determine what kind of actions that they need to be taking to help defend against this project. Um, so yeah, it's pretty straightforward. Uh in the future uh the idea would be

you could use agentic AI to monitor and flag uh GitHub projects automatically dispatch the AI agents to go off and do some things and come back uh once the pro once a project is tri triggered the AI can uh could actually detail static and behavioral analysis of the code. Now, uh that's how much we've come in the two years since I've started this project. Uh where that was just a dream that you could come up with it. But today, you know, you can actually do it a little bit better. Of course, it'll cost a lot, but you have to that's why you have to filter down to those 72 projects. Makes way more sense to do it

on that over the over 10,00. So over time, uh feedback from a from our from the analy. So then you could have it in a feedback loop and the AI would actually just get better at doing this or worse. But yeah, that's AI for you. It could create a scalable and continuous learning threat and value evaluation system. Um, Magika, has anybody ever played with Magika by Google? So Magika is actually an AI powered tool uh from Google. Uh, it helps improve the file type identification. One problem we had while doing this is GitHub's uh file identification is kind of not really good. And so it'll tell you that there's this type of code in there or this type

of files in there and that it's not accurate. Um so you can actually run it through Magika and it does a way better job of identifying uh you know what types of files are in each project. So it's lightweight uh is built on deep learning models with billions and billions of file types. So it's a really good if you need to quickly identify uh types of projects go ahead and look at that and use that. So what h what does anybody know where this is from? It's from the watchman. Yeah. Um so the original term is actually in Latin. Um but it it came from a term about uh who guards the guardians. Um so

earlier I mentioned this idea about who watches the the watchmen. Um or I mentioned uh the the idea about red teamers and and who is making sure that they're doing the the things. Um, so then I came up with this idea about who red teams the red team and maybe a new phrase, probably not, but based off the examples I showed, especially when it comes to the supply chain that people are working into, it's probably nation state actors. So, we need to um, we need to work together and ensure that our in-house consult in-house teams, consultants, and are using legitimate software. Always do your best to make sure that you don't be cheap and use the cracked version of

Cobalt Strike. Uh it's back door, so don't do that. Um don't use to your best of knowledge, don't use what's known as uh dual hook software, which is the Wasp Stealer example I gave you. It's dual sending the CTu communication to two different places. Uh these are the same questions we should be asking all of our software that comes in. Of course, we should be doing that. Uh we can't just let the red team come in and have no defenses. Um we don't want to expose new risks just because we're trying to identify risks. Um but we need to remember that we're all on the same team. Red team, blue team, purple team, everyone's goal is to

defend the organization. and stop the real attackers from finding their ways into the organizations and causing harm to the companies. Um, so let's all work together and find these issues and stop the cyber criminals and nation states and questions.

Run Adrian run. You can walk. It's fine. I'm sure there's a lot of pressing questions. Oh, it's right there.

Given that red team is a little bit harder to get into than other uh cyber security jobs, what advice would you give to people that are just now getting into uh cyber security as the skill set that you should build to get into red team? So the best defender also thinks like an attacker. you have to identify those weaknesses that you can ident that you can defend against. Um so you have to always be thinking about how people are going to uh or how criminals can get in. Uh the red team is just validating those concepts and also coming up with potentially new ways of doing it and immediately testing things. A lot of red

teaming is validation not hypothesizing. Is it really harder? They hired me to do renting. It it perceived to be, but you really have to be good at truly thinking like the adversary. And that's my best advice though is also to be a good redteamer. You also have to defend. You have to think about how somebody's going to defend against this. That way you could potentially go around that defense. So you you have to be to be good in both. You have to be good at both. Yeah agreed. Any other questions? All right, another round of applause, please, for Stephen.