Cobalt Strike has now become one of the most abused tools in the world of cybercrime. While it is a legit and commercially available tool designed for penetration testing, a recent analysis revealed a 161 percent increase in cyberattacks utilizing this tool year over year.
It all started when cybersecurity specialists realized that the best defense is sometimes a good offense. As the notion of “deny all” has grown more difficult to enforce on a large scale. More companies have begun to seek tools and techniques designed to enter information systems to identify security gaps.
To detect network weaknesses, Cobalt Strike sends out beacons. It simulates an attack when utilized as intended. However, threat actors have discovered ways to use it against networks to exfiltrate data, deliver malware. And construct bogus command-and-control (C2) profiles that appear legitimate and avoid detection.
According to Proofpoint, the use of Cobalt Strike by cybercriminals has skyrocketed. The security tool has appeared in 161 percent more hacks year over year, having gone fully mainstream in the crimeware world.
Of course, the goal is to simulate the most malicious threat actors and their methodologies to test your security posture and rehearse response procedures. Unfortunately, like other aspects of security, technologies, and expertise intended to assist security teams can also be exploited maliciously by cybercriminals.
For nearly two decades, the open-source Metasploit hacking platform has sparked a combination of excitement and worry. Among security teams requiring the tools to test their networks and concerned that cybercriminals use it against them to attack.
Although Metasploit is still popular among both good and bad hackers, another red-team tool, Cobalt Strike, is increasingly used in attacks. After breaching the network with customized, copied, or even purchased versions of Cobalt Strike attackers, weaponizing the program to carry payloads.
Cobalt Strike Beacon was one of many malware tools used in the massive SolarWinds supply-chain attacks. In January, researchers exposed Raindrop, a component of SolarWinds-related malware used in targeted operations following the effort’s initial mass Sunburst penetration.
Raindrop, a backdoor loader that drops Cobalt Strike to undertake lateral movement across victims’ networks, was discovered as one of the tools used for follow-on attacks by researchers.
Though some may disagree, offensive security research and offensive simulation tools such as Cobalt Strike are, in my opinion, a net gain for the security community. A tool like Cobalt Strike is merely simulating tactics, already being used by the hackers in the wild. To test against these technologies, security teams must have access to them.
According to Proofpoint data, Cobalt Strike has already attacked tens of thousands of companies worldwide. According to recent trends, attackers will continue to use this technology in the coming years. Furthermore, rather than being utilized by espionage threat actors and APTs, this technique is increasingly employed by commodity malware operators, making it a concerning danger.
Rogue Logics provides in-depth security services for the assessment and protection of your application, data, and infrastructure against potential threats on-prem or in the cloud.
Want a consultation with the professionals at Rogue Logics, contact us and get a free quote.