June 11, 2023

Source code allegedly belonging to commercial penetration testing software Cobalt Strike has been published on GitHub, potentially providing a new path for hackers to attack companies.

Cobalt Strike, which pitches itself as a legitimate pen testing solution, has been controversial for years thanks to its use by hacking groups, though they had to pay $3,500 per year for a license to use the software or use a pirated copy. The alleged code could potentially allow more hackers to use the software for nefarious purposes or develop new versions of the product.

The code appears to be the Java code from the software that has been manually decompiled and then edited to fix any dependencies and remove the license check so it could be compiled.

The code said to have appeared on GitHub 12 days ago and has already been forked 172 times. The timing may be relevant, since a major attack involving Cobalt Strike and targeting Microsoft Teams was reported Nov. 10. Another attack that took advantage of unpatched Oracle WebLogic servers involving Cobalt Strike was reported Nov. 5.

While the allegations that the Cobalt Strike source code was posted to GitHub are unconfirmed, it certainly appears to at least be derivative of Cobalt Strike’s product. Actual risk lies in using the tool more powerful and in newly discovered vulnerability. Patch quickly as possible if exploits discovered.

Leave a Reply

%d bloggers like this: