Red team tool developer slams ‘irresponsible’ disclosure

UK cyber security consultancy and penetration testing specialist MDSec has defended its commercial Nighthawk framework and criticised what it described as an “irresponsible” disclosure after researchers at Proofpoint warned that the tool risks being co-opted into widespread use in the cyber criminal underground, as happened with Cobalt Strike and others, such as Sliver and Brute Ratel.

Like Cobalt Strike, Nighthawk is a legitimate command and control (C2) framework used for red team penetration testing, and is sold through commercial licensing.

It was developed in-house at Cheshire-based MDSec, which is accredited through the UK government’s CESG technical authority to offer cyber services to government bodies, and holds numerous other badges from the likes of Crest and the National Cyber Security Centre.

MDSec released Nighthawk in 2021, describing it as “the most advanced and evasive C2 framework available on the market…a highly malleable implant designed to circumvent and evade the modern security controls often seen in mature, highly monitored environments”.

However, Proofpoint says that in September 2022, its systems spotted initial delivery of the Nighthawk framework as a remote access trojan (RAT). Its systems caught several test emails being sent with generic subject lines including “Just checking in” and “Hope this works2”, containing links that, when clicked, led to an ISO file containing the Nighthawk loader payload as an executable.

It said this distribution of Nighthawk appears to have taken place as part of a genuine red teaming exercise and the emails and links within them only had the appearance of being malicious.

Proofpoint further stressed that it has not become aware of any leaked version of Nighthawk being adopted by any attributed threat actors, but said it would be “incorrect and dangerous” to assume it would not be appropriated as such.

“Detection vendors in particular should ensure proper coverage of this tool as cracked versions of effective and flexible post-exploitation frameworks can show up in the dark corners of the internet when either threat actors are looking for a novel tool or the tool has reached a certain prevalence,” the team said.

There are many reasons why threat actors appropriate legitimate tools into their arsenals. They can make it harder for defenders or researchers to attribute clusters of activity, and will usually contain specific features, such as endpoint detection evasion. In Nighthawk’s case, the researchers believe it is the product’s advanced capabilities, particularly its extensive list of configurable evasion techniques, that may make it exceptionally attractive to malicious actors going forward.

“Legitimate tools, like the Nighthawk penetration testing framework, are an all-time favourite of threat actors of varying skill levels and motivations,” said Sherrod DeGrippo, Proofpoint vice-president of threat research and detection.

“They can complicate attribution, make evading endpoint detection easier, and all around make security researchers’ jobs more difficult than they already are. The greater community needs every advantage it can get to prepare for the next potential threat and that means diving deep on even those tools that are created with the best of intentions.”

MDSec director Dominic Chell told Computer Weekly: “We are not aware of any instances of Nighthawk being used for illegitimate activity, nor has any evidence been produced to support this theory. We take our role as an exporter of intrusion software very seriously and apply rigorous vetting to any company wishing to purchase the software.”

Computer Weekly further understands that MDSec has a number of measures in place to control distribution and track how and where the Nighthawk framework is being used, although full technical details of these cannot be disclosed for security reasons.

Some of the non-technical vetting procedures include a multi-seat licensing requirement, to put it out of the reach of individuals, contractors or single-operator red teams, and an outright ban on self-hosted trial licences, as other similar products have wound up being exposed through such trials.

Where it does export, the company exports in accordance with the government’s Open General Exports Licence (OGEL), which governs the export of controlled goods on a list of strategic and military items – Nighthawk falls into the “military and dual use” category – that require authorisation.

It is licensed to distribute Nighthawk in the European Union, Australia, Canada, Japan, New Zealand, Norway, Switzerland, Liechtenstein and the US. In a blog post, MDSec said it had rejected many more approaches to buy Nighthawk than it had approved.

MDSec said it was not approached in advance of Proofpoint’s advisory being made public, nor was it asked to confirm the legitimacy of the activity that the supplier’s monitoring picked up. The firm described Proofpoint’s documentation of a number of unpublished EDR bypass techniques as “irresponsible”, saying that this information could now be exploited by threat actors.

The company urged any security suppliers wanting to confirm the legitimacy of Nighthawk activity they may observe in their telemetry to contact it directly.

Leave a Reply

Your email address will not be published. Required fields are marked *