Those in the cyber security community are intimately familiar with Cobalt Strike, a tool that’s been used by pen testers for a decade. Although perhaps the most well-known pen testing tool, Cobalt Strike is by no means the only one. Another, Brute Ratel, is currently garnering attention in cyber security circles for all the wrong reasons. For example, Palo Alto’s Unit42 reports APT 29 (AKA Cozy Bear) has been abusing Brute Ratel to conduct recent intrusions observed in North and South America.
And Dark Cubed’s customer base hasn’t been immune from this mis-use of Brute Ratel.
Over the past 60 days, our threat research team has identified attempted brute force attacks from Brute Ratel infrastructure against 6 Dark Cubed customers, while another 25 were subject to scans from Brute Ratel infrastructure likely attempting to identify open ports and their available services. Specifically, SQL and RDP ports were probed, as the group leveraging Brute Ratel scans for exposed database servers (Structured Query Language) giving them direct access to potentially sensitive data, or open Remote Desktop Protocol ports, enabling them to take control of network devices. Note that, although the Brute Ratel tool has been linked to Russia’s Cozy Bear hackers, we can’t confirm the precise identity of the operators of the infrastructure launching these specific scans against Dark Cubed customers.
Dark Cubed’s analysis of the log data from these probes suggests that very few of the network devices probed were exposing the services the Brute Ratel infrastructure was scanning for, but there is some evidence that a few may have been open, and that the Dark Cubed platform blocked the connection (scored a “9”, our highest threat level) before any damage could be inflicted by the attackers.
Assuming all network configurations are set properly, there’s little danger posed by these kinds of indiscriminate scans to the business being probed, but mistakes happen, and frequently. Inexperienced operators, or those rushed by tight schedules, or technicians working with new equipment or updated interfaces can easily mis-configure devices. One need only read any number of cyber security news feeds to appreciate how common errors are often the genesis of major breaches.
The good guys have to be perfect. The bad guys only have to be right once. And with readily-accessible tools that enable bad actors to literally probe the entire internet in minutes, they will find no shortage of low-hanging fruit for their opportunistic crimes.
Why not take advantage of their achilles heel? In this case, and many others, Dark Cubed’s scoring engine had identified the infrastructure from which they were operating as the source of malicious activity, and it was blocked.
The bottom line? There’s no reason to work without a net when defending against today’s automated, opportunistic cyber criminals.