Nighthawk is an advanced C2 framework similar to Cobalt Strike and Brute Ratel; it can be used by both black hats and red teams and is commercially licensed.
Proofpoint's post said it had identified initial delivery of Nighthawk in September and then investigated the potential of the framework. It pointed out that it did not take very long for such tools to spread to the black hat community after they were released, writing:
"Between 2019 and 2020, Proofpoint observed a 161% increase in threat actor use of Cobalt Strike. This increase was quickly followed by the adoption of Sliver – an open-source, cross-platform adversary simulation and red team platform.
|
|
Researcher Alexander Rausch and other members of Proofpoint's Threat Research team wrote: "Launched in late 2021 by MDSec, Nighthawk is similar to other frameworks such as Brute Ratel and Cobalt Strike and, like those, could see rapid adoption by threat actors wanting to diversify their methods and add a relatively unknown framework to their arsenal.
"This possibility, along with limited publicly available technical reporting on Nighthawk, spurred Proofpoint researchers into a technical exploration of the tool and a determination that sharing our findings would be in the best interest of the cyber security community.
"While this report touches on the activity observed in Proofpoint data, the primary focus is Nighthawk’s packer and subsequent payload capabilities."
The MDSec reaction, headlined "Nighthawk: With Great Power Comes Great Responsibility", was not attributed to any individual or group at the company.
It said the Proofpoint post "outlined a campaign used by a legitimate red team customer of Nighthawk and goes on to describe some of the functionality available in our May ‘22 release, obtained through reverse engineering".
"It also makes unsubstantiated and speculative projections that Nighthawk could be abused by threat actors in the future. This subsequently led to various questions over both Twitter and email about what precautions we take when distributing Nighthawk."
MDSec was obviously annoyed that Proofpoint had published its post without first speaking to MDSec.
"...we would like to note that Proofpoint did not approach us in advance of release of their post nor ask us to confirm whether or not the activity was indeed legitimate," the MDSec post said.
"Instead, they irresponsibly documented Nighthawk’s use of a number of unpublished EDR bypass techniques which will no doubt now come to the attention of bad actors looking to level up their own frameworks.
"Having previously been used as the in-house c2 by the MDSec red team, we made the decision to commercialise Nighthawk in 2021; a decision that was not taken lightly.
"However, in order to justify the continued research and development effort and support an ever growing development team, as well as fund the future roadmap of innovations we had planned, strategies to monetise the c2 needed to be sought."
MDSec said it had allowed distribution of Nighthawk to EU member states, Australia, Canada, Japan, New Zealand, Norway, Switzerland (including Liechtenstein) and the US under licence, adding that it had rejected more requests for the framework than it had accepted.
