A recent report has disclosed how Cobalt Strike is being exploited by attackers in several campaigns to deploy malware. Cobalt Strike is a legitimate commercial penetration testing tool released decade ago. This tool is very popular among cybercriminals and used widely for malicious activities.
Continued exploitation
Cobalt Strike penetration testing kit, along with the Metasploit framework, was being abused to host over 25% of malicious C2 servers deployed in 2020.
- The source code for version 4.0 was allegedly leaks in 2020, and since then became a go-to tool for APT groups such as Carbanak and Cozy Bear.
- Thousands of instances of Cobalt Strike abuse have been observed, however, most of them are using the legacy, cracked, or pirated copies of this tool.
- The exploitation is linked to ransomware deployment, surveillance, and data exfiltration campaigns. It allows users to create flexible C2 architectures and makes it hard to trace C2 owners.
- It is a popular second-stage payload for various malicious campaigns like TA511, Rusty Bear , Trickbot, Qakbot,IceId
Cobalt Strike Recent Storm
- The Hanictor download fueled Cuba ransomware operations and deployed Cobalt Strike Beacon on the hosts located in Active Directory environments in post-exploitation activities.
- Fortinet VPN devices were hacked to deploy Cring ransomware inside corporate networks. During that campaign, the attackers were found to be using the Cobalt Strike framework.
Final thoughts
Cobalt Strike is a powerful tool, often used by security testers to thwart cybercrime. Its now become a very common tool among cybercriminals. And looking at the growing trend of adoption of this tool by several attackers and malware groups, exploitation of this tool is believed to continue. Therefore, security professionals need to prepare some strategies to protect organizations from this threat.
