ActiveBreach

Nighthawk: With Great Power Comes Great Responsibility

Recently, Proofpoint released a blog post entitled “Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice”. In this post, Proofpoint outlined a campaign used by a legitimate red team customer of Nighthawk and go on to describe some of the functionality available in our May ‘22 release, obtained through reverse engineering. It also makes unsubstantiated and speculative projections that Nighthawk could be abused by threat actors in the future. This subsequently led to various questions over both Twitter and e-mail about what precautions we take when distributing Nighthawk. In this post, we’ll address some of these questions.

Firstly though, we would like to note that Proofpoint did not approach us in advance of release of their post nor ask us to confirm whether or not the activity was indeed legitimate. Instead, they irresponsibly documented Nighthawk’s use of a number of unpublished EDR bypass techniques which will no doubt now come to the attention of bad actors looking to level up their own frameworks.

Having previously been used as the in-house c2 by the MDSec red team, we made the decision to commercialise Nighthawk in 2021; a decision that was not taken lightly. However, in order to justify the continued research and development effort and support an ever growing development team, as well as fund the future roadmap of innovations we had planned, strategies to monetise the c2 needed to be sought.

Having witnessed years of actors abusing other frameworks, we were starkly aware of the risks of developing and distributing commercial intrusion software. As such, we devised a number of procedural and technical controls to minimise our exposure to the software falling in to the wrong hands.

Nighthawk is considered “Military and dual-use goods” by the UK government and as such its use is export controlled. Specifically, Nighthawk falls under the 4D004 category of “intrusion software”:

“**4D Software**
4D004 "Software" specially designed or modified for the generation, command and control, or delivery of "intrusion software".”

As such, an export license is required in order to export the software outside of the UK. Prior to commercialising Nighthawk and following vetting by the Department of International Trade, MDSec was granted several Open General Licenses (OGL and GEA) to facilitate distribution across EU member states, Australia, Canada, Japan, New Zealand, Norway, Switzerland (including Liechtenstein) and the United States. While it is possible to apply for individual licenses (SIELs) to export to companies in other countries, at the time we made the conscious decision that we would not do so and to date have outright rejected any enquires that deviate from the countries where existing licenses allow us to export to. Indeed, MDSec has rejected many more approaches to purchase the software than we have accepted for this reason.

That of course does not preclude bad actors setting up shell companies and attempting to buy the software or attempting to use resellers in these countries and we are abundantly aware of this as a potential “bypass”. As such, for every Nighthawk enquiry we obtain details about the registered company, end user locations, ultimate beneficial owner and ask for documentation around their intended use cases. With these details we proceed to vet each company to ensure that they are not only legitimate, but that they are indeed likely to use the software for lawful red team operations.

Nighthawk has a minimum three seat license requirement, as such we do not sell to individuals, contractors or small single operator red teams. Despite being publicly lambasted for this decision over social media in the past, we considered this part of our responsible distribution policy and has made our job of vetting purchase enquiries much easier as, for the most part, the price point and seat requirements put the product in the realm of consideration for only serious and established red teams; coincidentally those who we are most interested in doing business with.

Many of the enquiries we receive about Nighthawk request a trial of the product prior to purchasing. As seen with Cobalt Strike and other products in the past, self hosted trial licenses are one of the most likely ways a product will be exposed. As such, MDSec do not offer self hosted trials of Nighthawk. Instead, on the rare occasions that the vetted prospective customers insist on a hands-on evaluation of the product in advance of purchase, we offer them access to an isolated MDSec hosted lab environment containing the product where a number of technical controls have been put in place to limit both accidental and intentional exposure of the product. Prior to access to this environment, MDSec request that the prospective customer sign a mutual non-disclosure agreement and agree to several conditions that prohibit the product or its artifacts been extracted from the lab or reverse engineered within it.

For the majority of prospects, MDSec provide an online two hour virtual demonstration of the product to potential customers which provides us with the opportunity to (virtually) meet them, further reducing the likelihood of bad actors anonymous purchasing the product.

Once the vetting process is complete and the purchase is agreed, access to the product and its updates is distributed via user accounts on a multi-factor authentication protected portal. We explicitly do not provide downloads through API key or simple online forms where the download cannot be attributed to an individual. While we acknowledge that this approach does create additional inconvenience for the customer, our belief is that it does provide additional confidence that the downloader is who we expect and that an API key hasn’t been accidentally leaked or shared.

These are some of the many soft and procedural controls that we put in place to control distribution and sale of the software. However, these are not the only controls to consider and a number of technical controls are also in place. While we do not intend to delve too deeply in to how these are implemented to maintain their integrity, what we will say is that every build of Nighthawk is unique and not only the generated artifacts but various other components of the framework can be attributed back to the end user through the implementation of a variety of watermarks. In addition to the watermarks, operational usage of the c2 of course requires a license file which is issued in accordance with the validity of the license period. While we have not seen any abuse of the software, we reserve the right to revoke any licenses that are misused.

While we fully understand any licensing system can be cracked (we’re hackers after all!), we firmly believe that the layered mixture of soft and technical controls that have been implemented stand us in good stead to responsibly distribute the product to responsible customers.

MDSec takes purported misuse of its products extremely seriously and should any defensive vendors wish to confirm the legitimacy of any activity, we encourage them to reach out to us using support@nighthawkc2.io where we’ll be more than happy to provide assistance without attribution.

written by

MDSec Research

Ready to engage
with MDSec?

Copyright 2024 MDSec