A recent report has disclosed how Cobalt Strike is being exploited by attackers in several campaigns to deploy malware. Cobalt Strike is a legitimate commercial penetration testing tool released in 2012. However, this tool is very popular among cybercriminals and used widely for malicious activities.
Continued exploitation
According to a recent report by Intel 471, the Cobalt Strike penetration testing kit, along with the Metasploit framework, was being abused to host over 25% of malicious C2 servers deployed in 2020.
- The source code for version 4.0 was allegedly leaked in 2020, and since then became a go-to tool for APT groups such as Carbanak and Cozy Bear.
- According to Fox-IT, thousands of instances of Cobalt Strike abuse have been observed, however, most of them are using the legacy, cracked, or pirated copies of this tool.
- The existing exploitation of Cobalt Strike is linked to ransomware deployment, surveillance, and data exfiltration campaigns. It allows users to create flexible C2 architectures and makes it hard to trace C2 owners.
- It is a very popular and common second-stage payload for various malicious campaigns (such as TA511 and RustyBuer, and more) and malware families (such as Trickbot, IcedID, and QakBot).
Recent abuse of Cobalt Strike
- The Hancitor downloader fueled Cuba ransomware operations and deployed Cobalt Strike Beacon on the hosts located in Active Directory environments in post-exploitation activities.
- Last month, unpatched Fortinet VPN devices were hacked to deploy Cring ransomware inside corporate networks. During that campaign, the attackers were found to be using the Cobalt Strike framework.
Conclusion
Cobalt Strike is a powerful tool, often used by security testers to thwart cybercrime. However, it has now become a very common tool among cybercriminals. And looking at the growing trend of adoption of this tool by several attackers and malware groups, exploitation of this tool is believed to continue. Therefore, security professionals need to prepare some strategies to protect organizations from this threat.
Source: https://cyware.com/news/attackers-actively-striking-with-cobalt-strike-26bca1a1