Security researchers at Proofpoint are calling attention to the discovery of a commercial red-teaming tool called Nighthawk, warning that the command-and-control framework is likely to be abused by threat actors.
According to a new report from Proofpoint, Nighthawk is an advanced C2 framework sold by MDSec, a European outfit that sells adversary simulation and penetration testing tools and services.
“Nighthawk is at its core a commercially distributed remote access trojan (RAT) that is similar to other frameworks such as Brute Ratel and Cobalt Strike. Like those, Nighthawk could see rapid adoption by threat actors wanting to diversify their methods and add a relatively unknown framework to their arsenal,” Proofpoint said.
The discovery of Nighthawk comes just days after Google published open-source YARA rules and other IOCs to help defenders detect cracked versions of Cobalt Strike that regularly appear in malware toolkits.
In the report, Proofpoint’s security team said it noticed initial use of the Nighthawk framework in September 2022 and attributed it to a legitimate red team operation.
The company said it did not see any indication that leaked versions of Nighthawk are being used by attributed threat actors in the wild but recommended that security response pros start looking for signs of Nighthawk in the wild.
“Proofpoint researchers expect Nighthawk will show up in threat actor campaigns as the tool becomes more widely recognized or as threat actors search for new, more capable tools to use against targets,” the company said.
The report documents the continued abuse of red team and penetration testing platforms by malicious actors. In the last two years, Proofpoint said it observed a 161% increase in malicious abuse of Cobalt Strike and quickfire adoption of Bishop Fox’s Sliver, an open-source, cross-platform adversary simulation and red team platform.
Proofpoint pointed to the Sliver release and abuse timeline to underscore the point. “Sliver was first released in 2019 and by December 2020 had been incorporated into threat actors’ tactics, techniques, and procedures — a timeline which could possibly occur with Nighthawk in the future,” Proofpoint noted.
“By late 2021, Proofpoint had identified an initial access facilitator for ransomware threat actors using Sliver. And, as recently as summer 2022, other security researchers have noted a range of threat actors of varying skills, resources, and motivations integrating it as well as Brute Ratel, another red teaming and adversarial attack simulation tool, into their campaigns,” the company added.
MDSec, the British company that markets Nighthawk, issued a statement to detail a “layered mix of soft and technical controls” it uses to mitigate the risk of malicious hacker abuse.
“MDSec does not offer self hosted trials of Nighthawk. Instead, on the rare occasions that the vetted prospective customers insist on a hands-on evaluation of the product in advance of purchase, we offer them access to an isolated MDSec hosted lab environment containing the product where a number of technical controls have been put in place to limit both accidental and intentional exposure of the product,” the company said.
Prior to access to this environment, MDSec said prospective customers must sign a mutual non-disclosure agreement and agree to several conditions that prohibit the product or its artifacts being extracted from the lab or reverse engineered within it.
“Once the vetting process is complete and the purchase is agreed, access to the product and its updates is distributed via user accounts on a multi-factor authentication protected portal. We explicitly do not provide downloads through API key or simple online forms where the download cannot be attributed to an individual.”
“While we acknowledge that this approach does create additional inconvenience for the customer, our belief is that it does provide additional confidence that the downloader is who we expect and that an API key hasn’t been accidentally leaked or shared,” MDSec added.
Despite these assurances, Proofpoint said it would be “incorrect and dangerous to assume that this tool will never be appropriated by threat actors with a variety of intents and purposes.”
“Nighthawk is a mature and advanced commercial C2 framework for lawful red team operations that is specifically built for detection evasion, and it does this well. Historic adoption of [legitimate hacking] tools by advanced adversaries, including those aligned with state interests and engaging in espionage, provides a template for possible future threat landscape developments,” Proofpoint said.
The company called on detection vendors to ensure proper coverage of Nighthawk as cracked versions of effective and flexible post-exploitation frameworks are likely to appear in threat actor toolkits.