Cobalt Strike: Attackers are misusing pentesting tool
by Tina Siering
How does Cobalt Strike work - and how does the pentesting tool get into the hands of criminals?
Cobalt Strike is a modular post-exploitation framework that was already published in 2012 as a tool for simulating cyber attacks. Cobalt Strike uses so-called hidden channels to simulate the actions of hackers within a corporate network. The beacons used by Cobalt Strike are stable, flexible and, above all, unobtrusive: they can be mapped in the memory of a processor without negatively affecting the file system. With its post-exploitation suite, the tool supports numerous methods that are at the top of the cybercriminals' popularity scale - including the theft of credentials, keylogging, port scanning or the execution of commands. Cobalt Strike can also disguise itself excellently by modifying beacons and thus imitating legitimate data traffic.
To prevent the tool from falling into the wrong hands, the developer Strategic Cyber LLC strictly controls the granting of licences. Nevertheless, hackers repeatedly succeed in gaining access to Cobalt Strike and misusing it for criminal purposes. Numerous threat actors, especially APT groups and professionally positioned cybercrime organisations, rely on Cobalt Strike. Mainly as a booster for penetrating compromised networks with ransomware, the tool is immensely popular. As early as 2020, the IT security firm Cisco Talos Intelligence Group reported that a large proportion of ransomware attacks are carried out with Cobalt Strike - the standard Trojans otherwise used appear to be less efficient.
Google Cloud announced at the end of 2022 that a total of 275 specific JAR files of hacked Cobalt Strike versions are in circulation - older software versions from 2012 onwards, but also version 4.7. For classification: the current Cobalt Strike version number is 4.7.2. It can be concluded from this that despite the manufacturer's efforts to prevent misuse, just about every version is hacked and used as a robust tool for cyber attacks. IT security managers are therefore well advised to focus their defence measures on Cobalt Strike.
What actions should be taken?
The functions contained in Cobalt Strike represent a real treasure chest for cybercriminals. The hacked versions of the tool in circulation are correspondingly popular. The developer Strategic Cyber LLC is aware of the potential danger. Applications from interested parties for Cobalt Strike are therefore thoroughly checked and potential hackers are thus at least kept away from the latest versions. Criminals therefore rely on outdated, but no less dangerous, cracked versions - which are available on the Darknet, among other places.
The outdated version numbers are included in detection rules created by Google. According to Google, it analysed versions of Cobalt Strike from 2012 and examined around 340 binaries. With this data, the so-called Yara rules were created. The Yara rules are an open source framework that provides detection patterns that security tools can use to identify artifacts of attacks.
Our IT security consultants are trained to recognise standard Cobalt Strike attacks as part of their weekly IoC examinations.
If, despite existing security measures, hackers have succeeded in activating malware in a network using Cobalt Strike or similar tools, it is important to react to the attack as quickly as possible and prevent it from spreading further at an early stage. Effective help is provided here by a managed detection and response solution (MDR). MDR solutions such as the Active Cyber Defense (ACD) service from Allgeier secion proactively and continuously examine corporate networks for anomalies by an external SOC team. The permanent detection ensures that successful cyber attacks can be recognised and can be averted at an early stage.
Important to know: Cobalt Strike can be used for attacks on all endpoints of a network. For a reliable defence strategy, it is therefore indispensable to monitor all systems within a network. In addition to desktops and laptops, endpoints also include mobile phones, tablets, network infrastructure, printers, IoT devices or servers. The Active Cyber Defense Service generally includes all endpoints in the monitoring. There is no need to install agents on clients, because ACD checks at network level whether systems are communicating with command & control servers, for example - and are thus compromised.
Conclusion
Cobalt Strike is a framework for cyber attack simulations that was released back in 2012. Cobalt Strike offers a variety of tools for post-exploitation attacks, such as stealing credentials, keylogging, port scanning or command execution. Even though the manufacturer strives to keep Cobalt Strike away from cybercriminals, numerous cracked versions exist that are used for cyberattacks. We therefore recommend integrating measures for continuous managed detection and response as an additional IT security layer and thus monitoring the network traffic - effectively and around the clock.