The use of Cobalt Strike – a legitimate tool used by network penetration testers – by cyber criminals has surged, according to researchers, who say that the tool has now gone “fully mainstream in the crime world.”
The researchers have tracked a year-on-year increase of 161% in the number of real-world attacks where Cobalt Strike has appeared. They’ve witnessed the tool being used to target tens of thousands of organisations, wielded by more cyber criminals and general-commodity malware operators.
Cobalt Strike sends out beacons to detect network vulnerabilities. When used as intended, it simulates an attack, but the cyber criminals have figured out how to turn it against networks to exfiltrate data, deliver malware and create fake command-and-control (C2) profiles that look legitimate and evade detection filters.
When it comes to how threat actors are attempting to compromise hosts, Cobalt Strike is increasingly being used as an initial access payload, as opposed to being a second-stage tool that’s used after attackers have gained access, researchers found. In fact, “the bulk” of Cobalt Strike campaigns in 2020 were pulled off by cyber criminals. Cobalt Strike Beacon was even one of the many tools used as part of the vast malware arsenal in the sprawling SolarWinds supply-chain attacks. In January, researchers unmasked a piece of SolarWinds-related malware, dubbed Raindrop, used in targeted attacks after the effort’s initial mass Sunburst compromise. Researchers identified Raindrop – a backdoor loader that drops Cobalt Strike in order to perform lateral movement across victims’ networks – as one of the tools used for follow-on attacks.
The tool has been around since 2012, while researchers have noted its use in cyber attacks since 2016. The majority of Cobalt Strike campaigns that hit between 2016 and 2018 were the type of well-resourced cybercrime gangs or APT groups. But that ratio dropped over the following years, when just 15% of Cobalt Strike campaigns were attributed to known threat actors.
However, cyber criminals can buy a version of Cobalt Strike on the Dark Web/hacking forums – or they can get their hands on cracked, illegitimate versions of the software. In March 2020, one such cracked version of Cobalt Strike 4.0 was made available to threat actors. A one-year license for the cracked version was reportedly selling for around £30,000.
The Cobalt Strike campaigns are as diverse as the operators who run them, employing a variety of lures, threat types, droppers, payloads, attack paths and use cases. While the use of the tool as an initial payload has spiked, it’s also still popular as a second-stage payload as well. It’s been used alongside malware such as The Trick, BazaLoader, Ursnif, IcedID, and many more popular loaders, researchers wrote, when the first malware that sneaks in the door typically loads and executes Cobalt Strike.
Besides network discovery and credentials dumping, Cobalt Strike Beacon can also jack up privileges, load and execute additional tools, and inject these functions into existing running host processes as it tries to evade detection.
Neuways advises users to beware of any communications from Cobalt Strike, or services such as Dropbox or Google Drive, that they are not aware of nor expecting. As cyber criminals alter their tactics, expect further different types of cyber attacks to be sent to businesses, as they try to dupe victims into giving them access to their corporate networks.