Cobalt Strike has now become one of the most misused tools in the cybercrime world. While it is a legitimate and commercially available tool originally created for penetration testing, a recent report showed a 161% year-over-year increase in cyberattacks using this tool.
What's new?
- Researchers noted that a large number of cybercriminals and general-commodity malware operators have targeted tens of thousands of organizations since its leak.
- The 161% rise in the use of Cobalt Strike between 2019 and 2020 implies a high-volume threat for the cyberworld.
- Cybercrooks use this tool against networks to exfiltrate data, deliver malware, create fake C2 profiles that look legitimate, and avoid security defenses.
Cobalt-strike’s Connection with SolarWinds attack
Cobalt Strike Beacon was one of the tools that were used in the SolarWinds supply-chain attacks. In January, researchers uncovered a piece of SolarWinds-related malware named Raindrop which leveraging the Cobalt Strike tool.
- Raindrop backdoor loader was using the Cobalt Strike in order to perform lateral movement across victims’ networks, as one of the tools used for follow-on attacks.
- The U.S. government pinned the supply-chain attacks to Russia’s Foreign Intelligence Service (FSB), an agency that has been using the Cobalt Strike tool in its toolbox since at least 2018.
Conclusion
As evidenced by Proofpoint’s data, tens of thousands of organizations around the world have already been targeted with Cobalt Strike. The recent trend suggests that attackers will continue to leverage this tool in the coming years. Furthermore, this tool is now used by commodity malware operators rather than espionage threat actors and APTs, which makes it a worrisome threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/ab55_shutterstock_640345744.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock-501362758.jpg)
