5 key findings from the NCSC’s report – “The threat from commercial cyber proliferation”

commoditization of cyber attack tools

As hardware-based cyber attack tools like RubberDucky, Flipper, BashBunny, Ninja, and OMG cables become increasingly accessible and affordable, a new wave of security concerns is on the rise. The National Cyber Security Centre (NCSC) has recently published a report on the threat from commercial cyber attack tools proliferation, which sheds light on the risks associated with their commoditization. This blog will explore the top 5 key findings of the report and their implications for businesses, organizations, and individuals. The report highlights the unique challenges of the hardware security domain.

Key finding #1 – “Proliferation of commercial cyber tools will pose a growing threat to organizations and individuals globally, new report predicts”

Is it that easy to acquire cyber-attack tools? Well, it is! As many of the attack tools are categorized and sold as PT equipment – one can buy them with no actual restrictions. Their ridiculous cost, sometime down to a couple of Euros (i.e., DigiSpark via AliExpress), makes it a non-issue budget wise. These PT tools are often supported by a large community (i.e., RubberDucky) which provides a continuous stream of updated payloads that can bypass existing cybersecurity products.

Key finding #2 – “GCHQ’s National Cyber Security Centre warns of “unpredictable targeting or unintentional escalation” as demand for hackers-for-hire set to rise.”

Despite the fact that these hardware attack tools are easy to master, a growing list of freelancers (directly or through platforms like Fiverr and Upwork) now offer their unique services for individuals or other entities – you want a Keylogger script that will go undetected? No worries! Ransomware via a charging cable? Hell yes! Do you want it for Ninja or OMG cable? Do you want to grab someone’s WiFi password, just select your tool of choice and wire the money. This ease of operation may lure people into this domain from “classic-legacy” criminal activity into the virtual domain.

Key finding #3 – “It highlights how over the past decade more than 80 countries have purchased cyber intrusion software, with some states almost certainly having irresponsibly used this to target journalists, human rights activists, political dissidents and opponents and foreign government officials.”

There is no accountability if there is no traceability.  In past cyber incidents, a significant effort has been made during the IR or forensic phase to discover who is responsible for a certain attack. Urban legends about specific time zones of files, line codes that presumably revealed the state behind a certain campaign. The commoditization of attack tools provides an additional protection layer for attackers using them. If an attacker uses an attack tool that has been sold in massive amounts in the open markets (I.e., RubberDucky or Raspberry Pi Zero), the payload can be publicly accessed and downloaded – how can one trace it? So if you can not put the specifically blame an adversary – how can you retaliate against him?

Key finding #4 – There’s a need for continuous monitoring and threat intelligence

Attackers (and pen testes) today, are fully aware of the capabilities of existing cybersecurity solutions. As in any battle-of-minds, potential adversaries can go head-to-head and try to evade being detected by those cybersecurity products by identifying their weaknesses or blind spots. The other option, which is gaining popularity is attacking from a completely different surface – through hardware assets. Yes, it does require the introduction of a physical, local element to the victim’s premises, BUT due to the scarcity of good cybersecurity solutions to detect these attacks (usually introduced by internal abusers or hardware supply chain attacks), the success rates are looking very promising. Organization, must always adapt a proactive approach with regards to threat intelligence – understanding that what you are not familiar with will come back to bite you, so it’s up to you, to constantly be on the lookout on the “latest trends” in cybersecurity attacks, engage with peers to gain as much insight, as soon as possible, about newly introduced attack methods.

Key finding #5 – “Over the next five years, the proliferation of cyber tools and services will have a profound impact on the threat landscape, as more state and non-state actors obtain capabilities and intelligence not previously available to them.”

The availability of cyber-attack tools helps state actors, target a larger number of victims, without the risk of losing or revealing significant capabilities – even if one of the tools is captured, the “strategic loss” is very minimal. This allows states to keep their crown jewels capabilities for their top target and use local “classic criminals” to spread the “commodities” cyber attack tools, in larger numbers.

What can one do?

First, a change in the state of mind is needed, understanding that hardware-based attack tools are no longer solely the “playground” for state sponsored activities, tools that were previously available to state sponsored actors can now be purchased, mastered and used by almost everyone – a frustrated ex-employee, a rogue private investigator looking for business intelligence, a suspecting spouse and local crime organizations. Once you understand that you, or your organization could be a potential target (even if you’re not enriching Uranium), then your halfway there.

The second half is making sure that you have the required visibility into those attack tools, emerging threats need an emerging technology. In many cases, cyber attack tools can only be discovered by examining the physical layer which is the only true source of truth –physics doesn’t lie, if an asset has been connected, it’s presence changes the physical layer parameters of that interface. Sepio’s patented technology makes harnesses this new data source to detect and mitigate those “illusive” assets, that go undetected by legacy technologies.

May 9th, 2023