Cybercriminals and nation-states have a long history of using our IT and security tools against us.
They've used a security tool called Cobalt Strike against organizations for years, but never at the current rate.
Cybersecurity firm Proofpoint just published a report on the increase in the use of Cobalt Strike.
Researchers found that threat actor use of the security tool increased by 161% from 2019 to 2020 and remains a high-volume threat in 2021. The graph below displays this increase over time:
Here is how Proofpoint summarizes the popular security tool, as well as other trends it has observed:
"Cobalt Strike is a useful tool, for legitimate security researchers and threat actors alike. Its malleability coupled with its usability makes it a robust and effective tool for siphoning data, moving laterally, and loading additional malware payloads.
Cobalt Strike is not the only red team tool appearing more often in Proofpoint data. Others include Mythic, Meterpreter, and the Veil Framework.
The use of publicly available tooling aligns with a broader trend observed by Proofpoint: Threat actors are using as many legitimate tools as possible, including executing Windows processes like PowerShell and WMI; injecting malicious code into legitimate binaries; and frequently using allowable services like Dropbox, Google Drive, SendGrid, and Constant Contact to host and distribute malware. "
Cobalt Strike background
Cobalt Strike was first released in 2012 to address perceived gaps in an existing Red Team tool, the Metasploit Framework.
By 2016, Proofpoint observed Cobalt being used by threat actors.
In December 2020, the Cobalt Strike Beacon was discovered to be one of the tools Russian-based threat actors used in the SolarWinds hack. That hack, which potentially compromised thousands of organizations in the public and private sectors, had a high level of sophistication.
Proofpoint describes the appeal of Cobalt and why it can be such an effective tool for threat actors:
"Cobalt Strike is unique in that its built-in capabilities enable it to be quickly deployed and operationalized regardless of actor sophistication or access to human or financial resources. The job of simulating actor attacks and penetrating defenses might become a bit more straightforward when both sides are using the same tool.
Cobalt Strike is also session-based—that is, if threat actors can access a host and complete an operation without needing to establish ongoing persistence, there will not be remaining artifacts on the host after it is no longer running in-memory. In essence: they can hit it and forget it.
Threat actors can also use the malleability of Cobalt Strike to create customized builds that add or remove features to achieve objectives or evade detection. For example, APT29 frequently uses custom Cobalt Strike Beacon loaders to blend in with legitimate traffic or evade analysis."
Not only is it a powerful tool to use for attacking networks, it is challenging to defend against:
"For defenders, customized Cobalt Strike modules often require unique signatures, so threat detection engineers may be required to play catch-up to Cobalt Strike use in the wild. Cobalt Strike is also appealing to threat actors for its inherent obfuscation. Attribution gets more difficult if everyone is using the same tool.
If an organization has a red team actively making use of it, it is possible malicious traffic could be mistaken as legitimate. The software's ease of use can improve the capabilities of less sophisticated actors. For sophisticated actors, why spend development cycles on something new when you already have a great tool for the job?"
A tool that is now popular with both sides of today's cyber fight.
[Read the Proofpoint report here: Cobalt Strike: Favorite Tool from APT to Crimeware]
