We need to talk about criminal hackers using Cobalt Strike, says Cisco Talos
Pentesting tool showing up in the hands of baddies, warns threat intel biz
Penetration testing tool Cobalt Strike is increasingly being used by black hats in non-simulated attacks as traces show up in scenarios from ransomware infections to state-backed APT threats, says Cisco Talos.
The paid-for tool, created by Raphael Mudge and sold to HelpSystems in March, began its existence as a legitimate item, billed as "software for adversary simulations and red team operations." It sells for $3,500 per seat, at list price.
"Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer's network," the marketing copy boasts. Oddly enough, those qualities make it attractive to criminals too – and now Cisco Talos wants to draw more attention to that.
Claiming that the tool "accounted for 66 per cent of all ransomware attacks Cisco Talos Incident Response responded to this quarter," the threat intel firm reckons that both criminal hackers and pentesting security analysts' red teams alike are making great use of Cobalt Strike, especially for its ability to deploy listeners on targeted networks.
Listeners are used to determine how infected hosts communicate with command 'n' control servers to retrieve malware payloads and further commands from malicious persons bent on pwning the network.
"Cobalt Strike's strength comes from the many answers it offers to difficult questions an attacker might have. Deploy listeners and beacons? No problem. Need to create some shellcode? Easy. Create staged/stageless executables? Done. Given Cobalt Strike's versatility, it's no wonder... Talos is noticing a trend for attackers to lean more upon Cobalt Strike and less upon commodity malware," said Cisco Talos senior research engineer Nick Mavis in a post.
In a detailed whitepaper (accessible via the blog post above) Cisco Talos said it had analysed the Cobalt Strike attack framework and devised about 50 attack signatures for use with intrusion detection tool Snort and open-source antivirus engine ClamAV.
Cobalt Strike's malicious uses have rather passed under the radar in the last few years, though in 2018 Talos spotted it being used by a person or persons based in China's Jiangxi province as part of a cryptojacking scam.
Before that, a joint investigation into malicious persons targeting Germany's Bundestag and Turkish diplomats uncovered Cobalt Strike in use by a crew called CopyKittens, tentatively attributing the group’s geographic base to Iran. ®