THE CONCEPT OF “hacking back” has drawn attention—and generated controversy—lately as geopolitics focuses increasingly on the threat of cyberwar. The idea that cyberattack victims should be legally allowed to hack their alleged assailants has even motivated a bill, the Active Cyber Defense Certainty Act, that representative Tom Graves of Georgia has shared for possible introduction this fall. And though many oppose hacking back as a dangerous and morally ambiguous slippery slope, research shows that, for better or worse, in many cases it wouldn’t be all that hard.
It turns out that many popular hacking tools are themselves riddled with vulnerabilities. That doesn’t necessarily make returning fire on incoming hacks a good idea, but it does show that attackers often don’t pay all that much attention to security. As the idea of hacking back gains support it could eventually cost them.
Hackers often rely on a few common “remote administration tools” to control victim systems from afar, as if they were sitting in front of them. Naturally, not all RATs work for all attacks. But hackers turn to some tools more often than others, before moving on to more niche or resource-intensive options if necessary. This ubiquity got Symantec senior threat researcher Waylon Grange thinking: RATs with security vulnerabilities of their own could give victims easy access back into a hacker’s own system.
Grange analyzed three common RATs with no known vulnerabilities—Gh0st Rat, PlugX, and XtremeRat—and quickly discovered easily exploitable flaws in all of them. He will present his findings on Saturday at the DefCon security conference in Las Vegas.
“I found that the RATs were very vulnerable, that they were not well-coded, and that it’s very feasible to hack them back,” Grange says. “A lot of the current mitigations and things that make exploiting hard in general just don’t exist in these tools, it’s as if they were stuck back in the early 2000s in terms of complexity. So it was very easy for me to find these exploits.”
The RATs Grange looked at have been used around the world in attacks on industries like technology, manufacturing, healthcare, and energy—not to mention hacks of embassies, ministries, NGOs, and governments. Attackers used Gh0st Rat, for example, in hacks as varied as those of NATO, the Associated Press, and the Dalai Llama.
In many of the vulnerabilities Grange uncovered, a victim looking to hack back could exploit setup flaws in the attacker’s RAT to access its command and control server (the computer the attacker uses to direct the RAT), download files from that attacker system, deposit code on it, or even create a persistent backdoor to sit on the attacker’s system long-term. Hacking back has some standard possible objectives—retaliation perhaps, but also information-gathering as part of an attempt to discover an attacker’s motives or identity. The exploits Grange developed could theoretically facilitate counterattacks that would allow victims to achieve these goals.
“If you got back on one of those machines and you sat there and listened you might be able to see who else they’re targeting or what type of groups they’re after or what type of information they’re after, which is very vital information when it comes to attribution,” Grange says.
Opponents of hacking back fear a slippery slope in which most countries eventually allow it, cyberattacks increase even more, and law enforcement around the world finds itself at a jurisdictional disadvantage. More hacking back could also mean more collateral harm. If an attacker has routed their malicious traffic through benign systems to hide their tracks, these innocent intermediaries could be hit with retaliatory strikes by those attempting to hack back.
Still, exploits in hacking tools wouldn’t just be potentially used by private victims who want to hack back. It’s not much of a leap to imagine that spy agencies around the world already take advantage of these vulnerabilities for intelligence-gathering and criminal attribution. “It’s not really clear what you would do once you get back on the attacker’s machine, we can only kind of speculate there,” Grange says. “It’s an area that hasn’t really been fully thought out or discussed—at least in public.”
Grange notes that Asia-Pacific region attackers particularly favor the three tools he looked at, though they’re also popular elsewhere. Of course, hacking tools are not created in a corporate environment, or one where developers are beholden to customers. They circulate and evolve without central oversight, so it’s not surprising that they contain flaws and bugs. It also makes them difficult to comprehensively patch. Even if someone attempted to fix a vulnerability, exposed versions of the tool would still circulate indefinitely, and new bugs might emerge.
“I thought about how when I released this talk some groups might try to fix these bugs, but I think the bugs in the three I looked at are systemic enough that others will surface, so I don’t feel like you’re losing something big here,” Grange says. “The code is a mess, and it would be hard for somebody to try to clean up all versions of it.” Still, he notes that it would probably be worth the effort from an attacker’s perspective to patch RATs, or consider relying on ones that are more secure.
Hackers could always take other precautions to protect themselves by controlling their RATs from virtual machines, or dedicated computers that don’t have anything else on them, and can’t give much away if compromised. But this type of distributed system for an attack takes planning and resources that an attacker may or may not have. And the attacker could still make mistakes in attempting to isolate a system that could lead someone back to their broader infrastructure.
The ease with which Grange found critical exposures in the programs he looked at reflects the ad hoc nature of malicious hacking today. Even the most sophisticated assaults, sometimes called “advanced persistent threats,” frequently incorporate mainstream hacking tools like these well-known RATs. State-sponsored actors and innovative cyber criminals alike lean on readily available tools to make their work faster and easier.
“The tools they’re using are very, very sloppy. They’re not this untouchable group, they really play on the same playing field we do,” Grange says.