By: Lotem Finkelsteen, Head of Threat Intelligence at Check Point Research (CPR)
A good thing in the wrong hands can cause enormous damage. And that’s true in the cyber world, where Cobalt Strike framework has become something of a bogeyman. The tool was originally created by ethical hackers to help organisations test the security of computer systems, assess security levels and analyse the response to potential attacks. But the dark side never gives up, so when evil hackers saw the enormous potential of Cobalt Strike, they decided to exploit the tool for cybercrime.
Cobalt Strike is especially popular thanks to its versatility and an agent called “Beacon” that allows you to gain unauthorised access, increase privilege levels, run codes remotely and steal data or to help with cloaking and further spreading and lateral move. In addition, the tool can be easily modified to adjust its capabilities. A cracked pirated version is available on underground forums, and the source code for version 4.0 was leaked in late 2020. Cobalt Strike (CS) reserves the right to decide to whom they sell their framework. They avoid selling the product to cyber security vendors, as it is against their business interest. They also try to refrain from selling the product to Black Hat hackers, as they understand the danger.
So cracked version is something everyone needs. Defenders and offenders.
Cybercriminals use a variety of techniques and attacks. Sometimes they want to be seen, they want to cause demonstrative damage, for example in Distributed Denial of Service (DDoS) attacks on websites. Sometimes they want to distract attention from other attacks or just to test their skills, show their strength and make headlines.
But sometimes, on the other hand, they try to sneak through systems undetected, to arouse no suspicion, so the threat remains undetected for the maximum possible time. This is where Cobalt Strike comes in, part of the financial and espionage campaigns of the biggest hacker groups of recent years, such as Cozy Bear, Carbanak and Hancitor.
Even one of the most destructive botnets, Trickbot, has been using Cobalt Strike since 2019 for reconnaissance and further proliferation. In 2020, Trickbot even used Cobalt Strike to spread Anchor malware and the infamous Ryuk ransomware, which has been used, for example, in a wave of cyberattacks on hospitals, medical facilities, and other organisations around the world. Cobalt Strike is also a popular component of attacks by other threats such as Bazaar, Qbot and DoppelPaymer ransomware. In short, Cobalt Strike is a valuable tool for a wide variety of attacks.
We looked at hacker groups and threats that use Cobalt Strike’s capabilities and features in one way or another, but what exactly does that mean and what are the specific cases and attacks uncovered by security teams?
For example, hackers, presumably from the Chinese state-sponsored group TAG-22, used Cobalt Strike in the early stages of an espionage attack on telecommunications companies in Taiwan, Nepal, and the Philippines. Cobalt Strike was also used in combination with the BIOPASS malicious code, which can spy on victims, trigger commands and gain remote access to devices, to attack Chinese online gambling companies. And recently, a massive ransomware attack targeted over 200 companies using Kaseya’s systems. Kaseya now warns that hackers are trying to mimic the company in phishing campaigns and spread Cobalt Strike using malicious attachments or links under the guise of a “security update”.
The full list of malicious activities would be very long, but Cobalt Strike has recently gained the most notoriety in one of the world’s largest attacks, the attack on the SolarWinds supply chain. Nine US government agencies and over a hundred private organisations were attacked, causing chaos and panic. And how could it possibly be that hackers managed to escape the attention of security teams at such elite technology, consulting companies as Microsoft and Cisco and government agencies such as the US Department of Homeland Security? How is it that the attack went undetected for months and that hackers were able to get from a local network to the cloud and gain long-term access to sensitive data?
The Sunburst malware was most likely spread via an infected Orion update in February 2020. But the researchers found that previously undetected Sunspot malware was already being spread via a test platform update in October 2019. One of the tools that enabled this long-term espionage was Cobalt Strike. Two sophisticated loaders, Raindrop and Teardrop, were used to spread it in the SolarWinds supply chain.
So, you can see, Cobalt Strike is very popular among hackers and is used for a variety of tasks. A number of modifications are available, so attackers can conveniently choose malicious content according to their needs. It is its popularity and wide range of customisation options that make detection and investigation difficult, as individual attacks are similar, making it difficult to attribute campaigns to specific hacker groups.
Cybercrime never sleeps. When it sees an opportunity, it immediately seizes it. And it may not just be bona fide tools like Cobalt Strike, but also AI technologies and engines. That’s why it’s imperative to use a preventative security solution that proactively eliminates all threats before they can even penetrate a device or network.