Autosploit is a new tool that has only recently been released to the public by “cyber security enthusiast”, “VectorSEC“. It’s obvious that the release of such a tool be a controversy, after all – even legitimate non-automated tools used by noble pentesters and security researchers get enough slack as is, just due to the nature that these tools can be abused and packaged into other “kits” marketed to those with malicious intent. And on the tweet about its release, it is also obvious that people are already reacting negatively to its release.
I just released AutoSploit on #Github. #Python based mass #exploit #tool. Gathers targets via #Shodan and automatically invokes selected #Metasploit modules to facilitate #RCE.https://t.co/BNw6JvTVH9#OffSec #InfoSec #Programming #Security pic.twitter.com/hvc3vrNCEJ
— VectorSEC (@Real__Vector) January 30, 2018
The reaction has been… well, pretty much as expected. Some considering the use of it for “legitimate” scenarios and others going as far as questioning if its even a tool at this point, or just “malware”.
Two tweets on one end of the argument that stood out to me were from users on the original release tweet –
You've just literally weaponized this. Pick anyone and bring them to the knees? This ain't Whitehat.
— Ankit Satsangi (@n_llh_man) February 1, 2018
Why would you write this? It serves no legitimate security purpose, it is just malware.
— Andrew Cole (@colemination) January 31, 2018
What I don’t see on this side of the argument is why they can’t understand that blackhats have been using technology and tools like this for as long as they have existed, in a not-completely-autonomous state. For example, back in 2008 – 10 years ago, Metasploit debuted Browser AutoPwn. Fundamentally Autosploit is no where, anything new – and frankly I see the discussion about this being the new “skid pandemic” as somewhat bizarre. If anything, the release of Autosploit and potentially the widespread use of it – would just create more secure platforms and devices for all. Unseen funding for system security in companies would potentially be addressed and it may even fast forward overall device security evolution.
The release of Autosploit, in my opinion is a great way – if not the best way in recent times to bring public awareness to something that has been an issue in many companies over the years. The bottom line has always been that companies won’t invest in security resources and attack prevention until their business model is threatened. Autosploit is just another way of bringing the needed attention to these issues within cyber security. Security analysts should always be questioning the possibility of such tools being developed for the masses of “script kiddies” and take the appropriate action needed. It’s not even like this is a zero-day being automated and released to the public, which even if it was – companies should still respond in time and act responsibly since, who knows who else has been exploiting it before its release?
I personally believe that moving forward from Autosploit’s release, we won’t see much destruction happen. The un-needed hysteria from all of this is just temporary. All this does is bring new information to a wider audience, while also helping many companies stop falling into the traps of exploits like this that have been going on for years.