We need to talk about criminal hackers using Cobalt Strike, says Cisco Talos

Penetration testing tool Cobalt Strike is increasingly being used by black hats in non-simulated attacks as traces show up in scenarios from ransomware infections to state-backed APT threats, says Cisco Talos.

The paid-for tool, created by Raphael Mudge and sold to HelpSystems in March, began its existence as a legitimate item, billed as “software for adversary simulations and red team operations.” It sells for $3,500 per seat, at list price.

“Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network,” the marketing copy boasts. Oddly enough, those qualities make it attractive to criminals too – and now Cisco Talos wants to draw more attention to that.

Claiming that the tool “accounted for 66 per cent of all ransomware attacks Cisco Talos Incident Response responded to this quarter,” the threat intel firm reckons that both criminal hackers and pentesting security analysts’ red teams alike are making great use of Cobalt Strike, especially for its ability to deploy listeners on targeted networks.

Listeners are used to determine how infected hosts communicate with command ‘n’ control servers to retrieve malware payloads and further commands from malicious persons bent on pwning the network.

“Cobalt Strike’s strength comes from the many answers it offers to difficult questions an attacker might have. Deploy listeners and beacons? No problem. Need to create some shellcode? Easy. Create staged/stageless executables? Done. Given Cobalt Strike’s versatility, it’s no wonder… Talos is noticing a trend for attackers to lean more upon Cobalt Strike and less upon commodity malware,” said Cisco Talos senior research engineer Nick Mavis in a post.

In a detailed whitepaper (accessible via the blog post above) Cisco Talos said it had analysed the Cobalt Strike attack framework and devised about 50 attack signatures for use with intrusion detection tool Snort and open-source antivirus engine ClamAV.

Cobalt Strike’s malicious uses have rather passed under the radar in the last few years, though in 2018 Talos spotted it being used by a person or persons based in China’s Jiangxi province as part of a cryptojacking scam.

Before that, a joint investigation into malicious persons targeting Germany’s Bundestag and Turkish diplomats uncovered Cobalt Strike in use by a crew called CopyKittens, tentatively attributing the group’s geographic base to Iran. ®

Articles You May Like

Big Tech’s Section 230 Senate hearing was like Jack Dorsey’s beard: An inexplicable mess that needed a serious trim
Remember 2013? This coffee machine does: If I could turn back time – I’d reboot this PC
Apple Grew to 29.2 Percent of Global Tablet Shipments in Q3 2020, Samsung in Second Place: IDC Report
Japan testing sandwiches that ID discount themselves as they age
Crash Bandicoot: On the Run! Release Date Set for March 2021, Registrations Open on Android and iOS

Leave a Reply

Your email address will not be published. Required fields are marked *