The legitimate security tool Cobalt Strike has shown up 161% more, year-over-year, in cyber-attacks, having “gone fully mainstream in the crime-ware world.”
The use of Cobalt Strike – the legitimate, commercially available tool used by network penetration testers – by cybercrooks has shot through the roof, according to Proofpoint researchers, who say that the tool has now “gone fully mainstream in the crimeware world.”
The researchers have tracked a year-over-year increase of 161% in the number of real-world attacks where Cobalt Strike has shown up.
They’ve witnessed the tool being used to target 10s of 1,000s of organisations, wielded by more cybercriminals & general-commodity malware operators than by Advanced Persistent Threat (APT) players or by those operators who prefer general commodity malware, the researchers observed in a report published on Tues.
That 161% increase happened between 2019 & 2020, but the crooks have not lost their taste for Cobalt Strike in 2021: It is still a “high-volume threat,” researchers commented.
Cobalt Strike sends out beacons to detect network vulnerabilities. When used as intended, it simulates an attack. But threat players have worked out how to turn it against networks to exfiltrate data, deliver malware & create fake command-&-control (C2) profiles that look legit & slip past detection.
Proofpoint isn’t the only security outfit that’s spotted rampant growth in the subversion of Cobalt Strike into an attack tool: an evolution that’s increased following the tool’s source code having leaked from GitHub in Nov. 2020. 2 months after that leak, in Jan. 2021, researchers at Recorded Future documented a spike in the use of cracked or trial versions of Cobalt Strike, largely by notable APT groups including APT41, Mustang Panda, Ocean Lotus & FIN7.
When it comes to how threat players are attempting to compromise hosts, Cobalt Strike is increasingly being used as an initial access payload, as opposed to being a second-stage tool that is used after attackers have gained access, Proofpoint researchers found.
In fact, “the bulk” of Cobalt Strike campaigns in 2020 were pulled off by criminal threat players, they stated.
According to the report, when mapped to the MITRE Att&CK framework, Proofpoint has seen Cobalt Strike appear in attack chains during Initial Access, Execution & Persistence. “Based on our data, Proofpoint assesses with high confidence that Cobalt Strike is becoming increasingly popular among threat players as an initial access payload, not just a 2nd-stage tool threat players use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020,” the researchers wrote
Role in SolarWinds
Cobalt Strike Beacon was one of the many tools in the huge malware toolkit used in the SolarWinds supply-chain attacks. In Jan., researchers found a piece of SolarWinds-related malware, dubbed Raindrop, used in targeted attacks after the effort’s initial mass Sunburst compromise.
Researchers identified Raindrop – a backdoor loader that drops Cobalt Strike in order to perform lateral movement across victims’ networks – as one of the tools used for follow-on attacks.
Poisoned Software Update
The SolarWinds espionage attack, which affected several US Govt. agencies, tech companies such as Microsoft & FireEye, and many others, began with a poisoned software update that delivered the Sunburst backdoor to around 18,000 organisations in Spring 2020.
After that broad attack, the threat players (believed to have links to Russia) selected specific targets to further infiltrate, which they did over the course of several months. The compromises were discovered in Dec. 2020.
The US govt. has pinned the attacks as “likely” coming from Russia’s Foreign Intelligence Service: a body that’s had Cobalt Strike in its toolbox “since at least 2018,” states Proofpoint.
Retrofitted by Threat Players
The tool has been around for nearly 10 years, having been released in 2012 as an answer to perceived shortcomings in the popular Metasploit penetration-testing and hacking framework. Just like Metasploit before it, Cobalt Strike quickly got picked up & retrofitted by threat players: By 2016, Proofpoint researchers were watching Cobalt Strike being used in cyberattacks.
Historically, those threat players were sophisticated APT groups, such as TA423 (aka Leviathan, APT40 or Gladolinium). A majority of Cobalt Strike campaigns that hit between 2016 & 2018 were that type of well-resourced cybercrime gangs or APT groups.
That ratio declined in following years, when just 15% of Cobalt Strike campaigns were attributed to known threat players.
In year-over-year data, researchers have seen more campaigns associated with Cobalt Strike between Jan. & June 2021 than Jan. to June 2020.
Get Their Hands on Cobalt Strike
Cybercrooks can pick up Cobalt Strike in a number of ways, according to the report: They can simply buy it off the vendor’s website, which requires verification. New Cobalt Strike licenses cost $3.5k per user for a 1-year license, according to Cobalt Strike’s website.
Alternatively, they can buy a version on the dark web on hacking forums; or they can get their hands on cracked, illegitimate versions of the software. In March 2020, one such cracked version of Cobalt Strike 4.0 was made available to threat players. A 1-year license for the cracked version was reportedly selling for around $45k.
The tool appeals to a diverse group of threat players, the researchers explained, given that it is cheap & easy. It can be quickly deployed & operationalised “regardless of actor sophistication or access to human or financial resources,” they commented.
Another benefit to criminals is that Cobalt Strike is session-based. It lets you get in, do your mischief, & get out without leaving any footprints: “If threat players can access a host & complete an operation without needing to establish ongoing persistence, there will not be remaining artifacts on the host after it is no longer running in-memory,” the researchers described. “In essence, they can hit it & forget it.”
Bespoke Suit of Malware
Cobalt Strike is also customisable: It is like the bespoke suit of the malware world, letting users add or remove features to suit their objectives or to evade detection. APT29, for one, “frequently uses custom Cobalt Strike Beacon loaders to blend in with legitimate traffic or evade analysis,” the researchers explained.
The tool is also great at obfuscation, given that both defenders & attackers are using the same tool. “If an organisation has a red team actively making use of it, it is possible malicious traffic could be mistaken for legitimate,” the researchers suggested.
Regarding ease of use, it saves sophisticated threat players the time & effort to develop their own kit, the researchers continued: “Why spend development cycles on something new when you already have a great tool for the job?”
The report lists just a small sampling of the types of threat players who have been tracked using Cobalt Strike, including:
- TA800: A large crimeware group that Proofpoint has tracked since mid-2019, this actor tries to deliver & install banking malware or malware loaders such as The Trick & BazaLoader.
- TA547: Around since 2017, this group is also primarily interested in spreading banking trojans, including The Trick & ZLoader.
- TA415: An APT actor aka Barium & APT41 that is believed to be associated with the People’s Republic of China. Proofpoint has tracked this actor delivering Cobalt Strike as a 1st-stage payload during mid-2020, among being involved in many other campaigns, including campaigns against airlines in a supply-chain attack involving the IT provider SITA.
Cobalt Strike campaigns are as varied as their operators, using various lures, threat types, droppers, payloads, attack paths & use cases.
While the use of the tool as an initial payload has increased, it is also still popular as a 2nd-stage payload as well. It’s been used with malware such as The Trick, BazaLoader, Ursnif, IcedID, & many more popular loaders, Proofpoint researchers wrote, when the 1st malware that deploys typically loads & executes Cobalt Strike.
When it is delivered directly, operators use a similarly varied set of techniques, including weaponised Office docs, compressed executables, PowerShell, dynamic data exchange (DDE), HTA/HTML files, & traffic distribution systems.
When up & running & a Beacon has been established for C2 communications, threat players have tried to enumerate network connections & dump Active Directory credentials as they try to move laterally through to a network resource such as a Domain Controller, “allowing for deployment of ransomware to all networked systems,” the researchers commented.
Besides network discovery & credentials dumping, Cobalt Strike Beacon can also ramp up privileges, load & execute additional tools, & inject these functions into existing running host processes as it tries to evade detection.
More of the Same
Proofpoint’s data shows that 10s of 1,000s of organisations have already been targeted with Cobalt Strike, & there is apparently nothing that is going to slow down that growing number in 2021.
Not Cobalt Strike’s Fault
There are other red-team tools appearing more often in Proofpoint data as well, the report continued: Others include Mythic, Meterpreter, & the Veil Framework.
Sherrod DeGrippo, Proofpoint Senior Director of Threat Research & detection, outlined that offensive security tools such as these & Cobalt Strike are not “inherently evil,” but it’s still worth examining “how illegitimate use of the frameworks has proliferated among APT actors & cybercriminals alike.”
She observed that the use of publicly available tooling “aligns with a broader trend observed by Proofpoint: Threat players are using as many legitimate tools as possible, including executing Windows processes like PowerShell & WMI [Windows Management Instrumentation]; injecting malicious code into legitimate binaries; & frequently using allowable services like Dropbox, Google Drive, SendGrid, & Constant Contact to host & distribute malware.
“This is a discussion that has been raging in the information security industry for years. Threat players across the crimeware & APT spectrum are now armed fully with legitimate security tools & teams are battling the most prepared threat actors,” she detailed.
“Our data shows that Cobalt Strike is currently used by more cybercrime & general commodity malware operators than APT & espionage threat actors,” she observed in conclusion.
“This means it has gone fully mainstream in the crimeware world. Financially motivated threat players are now armed similarly to those financed & backed by various governments.”