Linux Security Software Turned Against Users
Threat intelligence analysts at Sysdig recently wrote about a threat group called UNC5174, a state-sponsored Chinese operation that runs espionage campaigns against governments, tech companies, research institutions and think tanks in the United States, Canada, and the U.K., as well as nongovernmental agencies in the Asia-Pacific region.
Until recently, it also was known for using custom-built tools in its attacks, such as its proprietary SnowLight Linux downloader, to gain initial access into targets’ systems and carry out its sophisticated cyber operations.
However, UNC5174 recently began adding open source tools to its bag of tricks, such as using Supershell as a reverse shell last year. In their report, Sysdig researchers noted that the threat actor is using another open source tool, VShell, in an ongoing campaign that started in late January. They were using it in conjunction with SnowLight and WebSockets and hiding it by wrapping it in other malware to make it more difficult to detect, they wrote.
UNC5174 is an example of a larger trend of state-sponsored and other advanced cybercriminal gangs turning to open source solutions in their arsenals, often weaponizing legitimate offensive cybersecurity offerings to reduce the cost of their operations and to better blend in with “script kiddies” — less-sophisticated bad actors — which gives them a better chance to go undetected by threat hunters.
And it’s worked, according to Alessandra Rizzo, threat detection engineer for Sysdig.
“This seems to hold especially true for this particular threat actor, who has been under the radar for the last year since being affiliated with the Chinese government,” Rizzo wrote in the report.
Adopting Open Source
Sysdig called out the trend in its 2024 Global Threat Year-in-Review, noting “the weaponization of multiple open source tools this year, notably SSH‑Snake, which facilitated credential theft and expanded attacks across the US, China, and beyond. Less than a month after the release of the open source SSH‑Snake tool, the CRYSTALRAY threat group leveraged the newly created pen testing tool to steal more than 1,500 victims’ credentials.”
“For the last two-plus years … we’ve seen threat actors using open source tools because they’re readily available, they’re free, they’re easy to access, and easy to download,” Crystal Morin, cybersecurity strategist with Sysdig, told The New Stack.
Rizzo added that hackers “are increasingly using open source tools in their arsenals for cost-effectiveness and obfuscation to save money and, in this case, plausibly blend in with the pool of non-state-sponsored and often less technical adversaries … thereby making attribution even more difficult.”
From Exploitation to Weaponization
Bad actors for several years have turned to open source software as an avenue to software supply chain attacks, looking for vulnerabilities to exploit — such as with Log4j and xz Utils — and ways to inject malicious code into the supply chain through popular code repositories.
It’s part of what Ibrahim Haddad calls the “doubled-edged sword” that is the transparency of open source software.
“On one hand, the open nature of development and the public availability of the source code means that vulnerabilities are visible to all, including potential malicious actors,” wrote Haddad, who until January was the vice president of strategic programs at The Linux Foundation, before becoming head of infotainment at Volvo Cars. “Conversely, this transparency and availability enable a diverse range of experts from different organizations, backgrounds, and areas of expertise to identify and collaboratively resolve issues more rapidly than any single individual or organization could achieve alone.”
Repurposing the Tools
That interest in open source software is now also focused on using legitimate tools as weapons. French National Agency for Information Systems Security (ANSSI) noted it in its French Cyber Threat Overview report released in March.
“The search for low-cost stealth and effectiveness encourages malicious actors to favour open source commercial tools or ‘Living off the Land’ techniques (LotL),” the organization wrote. “For instance, reputedly Chinese intrusion sets notably use legitimate SOCKS5 proxy tools and the SoftEther VPN.”
Sysdig’s Morin and Rizzo pointed to the tendency of bad actors to repurpose tools that are designed to help threat intelligence protect against attacks against organizations. Cobalt Strike is a commercial tool used to simulate attacks to expose gaps in organizations’ security field and get them closed. It’s become a favorite tool of threat actors that use it themselves to sniff out such security holes in targets.
SSH-Snake and VShell
That is continuing to spill over into the open source world with such software as SSH-Snake — a security and network mapping tool released on GitHub in January 2024 that was used in the CrystalRay attacks — and now VShell, which Rizzo wrote has a reputation in underground forums as being “’even better’ than the widely known Cobalt Strike framework.”
“These tools are being created by not malicious, evil people,” Sysdig’s Morin said. “They’re being developed by developers, people who work in the industry with us. … Those are the types of people who are developing these tools like VShell, and they’re doing it so they can share them with the community for red teaming operations, to use it in your organization to look for weaknesses, vulnerabilities [and] misconfigurations so you can improve your organization’s defense.”
Cybersecurity firm CyberArk noted late last year that SSH-Snake started out as a legitimate tool for penetration testers and system administrators but is “now favored by threat actors, who are already exploiting known vulnerabilities, specifically in Confluence and Apache Active MQ systems, in order to gain access and deploy the malware.”
Shut Down but Still Circulating
Rizzo pointed out how quickly bad actors are repurposing such tools for their own nefarious purposes, saying that “for SSH Snake, it took only a month for attackers to start using it maliciously and it clearly wasn’t the intention of the developers. It is the same with VShell. It was firstly released as a penetration testing tool and because it started to be abused very soon after its release, the developer took it completely down [from] the internet.”
It’s still circulating in underground channels, particularly among Chinese threat groups, in a cracked version, she said, adding that “it’s not available anymore, but if there’s an intention to exploit it, people are going to find it and redistribute it.”
Morin said this is part of the cat-and-mouse situation that is cybersecurity. Bad actors develop new tools or techniques, defenders respond, and then the hackers adapt to the response. It will likely continue that way. That said, she suggested that developers and security experts could closely collaborate in hopes of staying ahead of cybercriminals.
“One of the things that we could perhaps do: ask developers of the tools to help us defend against it,” she said. “They know these tools that they’re developing better than anybody else. … They could be the ones to help write the detection analytics to detect this activity or defend against it rather than having to be someone like the Sysdig Threat Research Team that finds these attacks post-mortem and have to put this out and share with the community.”
Look At the Source Code
Rizzo said having more documentation is always helpful, but reminded that if the open source tool is freely available, the source code can be looked at.
“Most times it is enough to look at what it does by looking at the code, by running it,” she said. “You can see behaviorally what it’s doing. Most times that is sufficient.”
With VShell, Sysdig researchers saw suspicious manipulations of large amounts of memory, which is unusual behavior for fileless programs as well. For Rizzo, looking at and running the source code was enough, given her expertise.
However, “I’m not sure how this translates … to less technical audiences for these tools, so it could be more helpful to have more documentation. For example, for VShell, there wasn’t very much. There’s a configuration file, and then that’s it. Also, it was abandoned, so I suppose that everything was taken down as well, so it wasn’t easy also to understand what it was trying to do.”
The Game Continues
Morin said the cat-and-mouse game isn’t going to stop. Open source software is increasingly critical to organizations and individuals and is tightly ingrained in IT and consumer technology. It’s not going anywhere.
“The best way you can stay on top of these things — because I would never say to stop using open source software or for developers to stop creating these tools, because they’re so valuable to the rest of us — is just to pay attention to threat intelligence, to reports like this, [and] understand what threat actors are using,” she said. “If you in the security operations know your environment well and you see a tool being used that’s not normally in your environment, then that’s something that you should go and take a look at.”
