Cobalt Strike, a tool intended to be used by security researchers, is today a well-known paid toolkit exploited by cybercriminals for post-intrusion exploitation.
Recently, Cisco Talos published a new research paper about the exploitation of the tool, along with new detection signatures to detect its misuse by threat actors.
Recently, Chinese Ministry of State Security (MSS)-affiliated hackers attacked US government agencies and private companies. The hackers used multiple tools to spread laterally through a network. Cobalt Strike was also used in the attacks.
Last month, an APT known as Skeleton launched a series of attacks between 2018 and 2019 with a variety of tools, including Cobalt Strike, to target chip vendors based in Taiwan.
In July, the Evil Corp cybercriminal group used Cobalt Strike to move across the network, when they hacked dozens of U.S. newspaper websites owned by the same organization.
Why do cybercriminals use it?
The flexible tool comes with multiple capabilities such as reconnaissance, attack packages, collaboration, post-exploitation, covert communication, and browser pivoting. It also delivers the capabilities of some other popular tools, for eg. Metasploit and Mimikatz.
How do they access it?
A one-year license of Cobalt Strike costs around $3,500 per user. The renewal cost of the license is about $2,500. However, the cybercriminals often use cracked or trial versions of this tool or even find ways to get access to a commercial copy of the software.
Looking at the wide range of capabilities, there is little doubt about why hackers prefer Cobalt Strike instead of working on a custom toolset. To identify a Cobalt Strike deployment and to stay protected, experts recommend several techniques involving looking up for the open port on 50050/TCP, or checking the default TLS certificate from the vendor.