Security Market Segment LS
Thursday, 24 November 2022 09:20

Sec firm MDSec slams Proofpoint for post on pen-testing framework Featured

Sec firm MDSec slams Proofpoint for post on pen-testing framework Image by Bethany Drouin from Pixabay

European security firm MDSec has taken exception to the release of a blog post by another security outfit, Proofpoint, about its penetration testing framework Nighthawk, accusing the latter of making "unsubstantiated and speculative projections" about the framework.

Nighthawk is an advanced C2 framework similar to Cobalt Strike and Brute Ratel; it can be used by both black hats and red teams and is commercially licensed.

Proofpoint's post said it had identified initial delivery of Nighthawk in September and then investigated the potential of the framework. It pointed out that it did not take very long for such tools to spread to the black hat community after they were released, writing:

"Between 2019 and 2020, Proofpoint observed a 161% increase in threat actor use of Cobalt Strike. This increase was quickly followed by the adoption of Sliver – an open-source, cross-platform adversary simulation and red team platform.

"Sliver was first released in 2019 and by December 2020 had been incorporated into threat actors’ tactics, techniques, and procedures – a timeline which could possibly occur with Nighthawk in the future."

Researcher Alexander Rausch and other members of Proofpoint's Threat Research team wrote: "Launched in late 2021 by MDSec, Nighthawk is similar to other frameworks such as Brute Ratel and Cobalt Strike and, like those, could see rapid adoption by threat actors wanting to diversify their methods and add a relatively unknown framework to their arsenal.

"This possibility, along with limited publicly available technical reporting on Nighthawk, spurred Proofpoint researchers into a technical exploration of the tool and a determination that sharing our findings would be in the best interest of the cyber security community.

"While this report touches on the activity observed in Proofpoint data, the primary focus is Nighthawk’s packer and subsequent payload capabilities."

The MDSec reaction, headlined "Nighthawk: With Great Power Comes Great Responsibility", was not attributed to any individual or group at the company.

It said the Proofpoint post "outlined a campaign used by a legitimate red team customer of Nighthawk and goes on to describe some of the functionality available in our May ‘22 release, obtained through reverse engineering".

"It also makes unsubstantiated and speculative projections that Nighthawk could be abused by threat actors in the future. This subsequently led to various questions over both Twitter and email about what precautions we take when distributing Nighthawk."

MDSec was obviously annoyed that Proofpoint had published its post without first speaking to MDSec.

"...we would like to note that Proofpoint did not approach us in advance of release of their post nor ask us to confirm whether or not the activity was indeed legitimate," the MDSec post said.

"Instead, they irresponsibly documented Nighthawk’s use of a number of unpublished EDR bypass techniques which will no doubt now come to the attention of bad actors looking to level up their own frameworks.

"Having previously been used as the in-house c2 by the MDSec red team, we made the decision to commercialise Nighthawk in 2021; a decision that was not taken lightly.

"However, in order to justify the continued research and development effort and support an ever growing development team, as well as fund the future roadmap of innovations we had planned, strategies to monetise the c2 needed to be sought."

MDSec said it had allowed distribution of Nighthawk to EU member states, Australia, Canada, Japan, New Zealand, Norway, Switzerland (including Liechtenstein) and the US under licence, adding that it had rejected more requests for the framework than it had accepted.

Read 2307 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Hybrid cloud promises to bring together the best of both worlds enabling businesses to combine the scalability and cost-effectiveness of the cloud with the performance and control that you can get from your on-premise infrastructure.

Reducing WAN latency is one of the biggest issues with hybrid cloud performance. Taking advantage of compression and data deduplication can reduce your network latency.

Research firm, Markets and Markets, predicted that the hybrid cloud market size is expected to grow from US$38.27 billion in 2017 to US$97.64 billion by 2023.

Colocation facilities provide many of the benefits of having your servers in the cloud while still maintaining physical control of your systems.

Cloud adjacency provided by colocation facilities can enable you to leverage their low latency high bandwidth connections to the cloud as well as providing a solid connection back to your on-premises corporate network.

Download this white paper to find out what you need to know about enabling the hybrid cloud in your organisation.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News