(But then again, the same can be said about a number of other penetration testing or red-team tools, both legitimate and otherwise.) "Cobalt Strike is unique in that its built-in capabilities enable it to be quickly deployed and operationalized regardless of actor sophistication or access to human or financial resources," security firm Proofpoint said in a report released earlier this year. Beacons get controlled remotely by an administrator, using a Cobalt Strike client - aka the Aggressor - which connects to command-and-control Team servers that run on Linux OS.īy connecting to the Team server that manages a particular endpoint via its beacon, an administrator can remotely configure the beacon as well as receive "all information from the infected hosts," Sekoia says. Threat actors turn to Cobalt Strike for its ease of use and extensibility." Client/Server ApproachĬobalt Strike employs a client/server approach, using the aforementioned beacon - a payload that gets installed on a target system - which communicates with a command-and-control server via DNS, HTTP or HTTPS, according to a teardown published by European cybersecurity firm Sekoia. "Cobalt Strike is chosen for the second stage of the attack as it offers enhanced post-exploitation capabilities. QakBot), Ursnif, Hancitor, Bazar and TrickBot," DFIR Report says in its Cobalt Strike Defender's Guide, published in August. "Some of the most common droppers we see are IcedID (a.k.a. "Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage," says the digital forensics and incident response threat intelligence group DFIR Report. Cybersecurity and Infrastructure Security Agency) Other attackers regularly use Cobalt Strike for "lateral movement," meaning the endpoint becomes the beachhead in a lengthier attack, during which they'll typically attempt to escalate privileges, access Active Directory Domain Controller, and use that to steal sensitive data, infect systems with crypto-locking malware and more. Earlier this month, security researchers warned that Emotet malware was pushing Cobalt Strike implants - referred to in Cobalt Strike-speak as beacons - directly onto infected endpoints, so attackers could more quickly evaluate the endpoint and see if they wished to escalate the attack, for example, by pushing ransomware onto the endpoint. Such software gets wielded in standalone attacks, and sometimes also at scale. One increasingly used tool is Cobalt Strike, which is marketed by its makers as "software for adversary simulations and red team operations." But attackers regularly use cracked copies of the tool to build botnets.įor organizations that do not use Cobalt Strike, experts say the security message is simple: monitoring for the software inside a network can reveal an attack in progress. Red-Team Toolsīeyond using already installed tools or functionality to target organizations, attackers will sometimes use commercially available hacking tools for - you guessed it - criminal hacking purposes. government alert warned attackers were using living-off-the-land tactics to exploit a vulnerability in Zoho's single sign-on and password management tool. Take living off the land: In March, Microsoft warned that attackers were wielding Azure "LoLBins," aka "living off the land binaries" with an extra helping of hacker lulz - which refers to weaponizing preinstalled, legitimate binaries built to run on Windows or Linux. Neither type of threat is new, but both continue to bedevil organizations. "Most modern security software should have process and file-access control that can be configured for tools like PowerShell, but a lot of organizations might not be aware of this." The trouble with detecting and blocking such attacks, which are launched by both criminal and nation-state hackers, is that they're designed to look legitimate. See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense Accordingly, organizations must monitor for both, to better identify potential intrusions. Attackers continue to use the legitimate Cobalt Strike tool set to target victims.Īttackers continue to employ commercial penetration testing tools as well as "living off the land" tactics - using legitimate tools or functionality already present in a network - to exploit victims.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |