Anti-virus companies have identified a new trend: Criminals are increasingly using open source software instead of developing or purchasing their own malware. Kaspersky Lab recently revealed several cyber espionage campaigns, which operate according to this model. Such free tools that were originally designed for security testing contain many tools that criminal hackers can also use for their own purposes. Even more conveniently for hackers, these tools are also developed and maintained by the open source community for free. Currently, the Browser Exploitation Framework (BeEf) is attracting a great deal of interest. BeEf was developed by Wade Alcorn using Ruby on Rails. Unlike other hacker tools such as Metasploit, BeEF attacks the client side. This is particularly treacherous because it bypasses all perimeter security measures. At the same time more and more users with different browsers and even mobile devices can access resources in the network. Companies should monitor client vulnerabilities closely and close them immediately if possible.
High risk after exploit
BeEf equips security engineers with a vast range of functions. The software attacks the browser on the client side and uses it to perform further attacks on resources in the internal network. The tool can determine quickly and conveniently whether the browser has vulnerabilities that allow cross-site scripting (XSS) attacks and other code injection attacks. BeEf is already installed by default on many popular hacking distributions including Kali Linux. On the technical side, BeEf works by hooking onto the browser. This is done through the file hook.js which is run by the browser. In practice, hackers usually hijack a website which the target visits (known as a watering hole attack). Once the browser displays the exploited site and executes the malicious code, hook.js is transferred to the browser and further attacks can be launched. The only chance of protection is if the browser and the operating system platform are secured appropriately. However, this type of attack is frequently successful and the hooked browser can now execute commands from the BeEF toolkit. These include numerous requests for information: a list of visited domains and URLs, for example, manufacturer and product names of installed VPN clients, all Google contacts and all cookies stored by the browser. And it does not stop there. The exploit tool can give the attacker access to the webcam, take screenshots and run a network inventory in the background. In a revealing graphic, BeEf shows all switches, servers, routers and other workstations with their IP addresses and other information. Once BeEF gains control, the consequences are massive.
Hacker interest is an indicator of effectiveness
Hackers will use any tool that works and they can get their hands on. That there are so many infected websites and malicious campaigns using BeEF at the moment suggests that the tool currently contains the best and easiest-to-use technology for client-side attacks. Companies and IT service providers should take note: Those who test their own or their customer’s own IT infrastructure can be pretty sure that they have the biggest current threats to their browsers covered. Many videos on YouTube and guides for example, from the BlackHat 2012 conference, describe the process very clearly. The sooner companies take notice of the information offered by BeEF , the better.