In essence: they can hit it and forget it. Cobalt Strike’s AppealĬobalt Strike is used by a diverse array of threat actors, and while it is not unusual for cybercriminal and APT actors to leverage similar tooling in their campaigns, Cobalt Strike is unique in that its built-in capabilities enable it to be quickly deployed and operationalized regardless of actor sophistication or access to human or financial resources. The job of simulating actor attacks and penetrating defenses might become a bit more straightforward when both sides are using the same tool.Ĭobalt Strike is also session-based - that is, if threat actors can access a host and complete an operation without needing to establish ongoing persistence, there will not be remaining artifacts on the host after it is no longer running in-memory.
#COBALT STRIKE BEACON PERSISTENCE CRACKED#
Threat actors can obtain Cobalt Strike in a variety of ways: purchasing it directly from the vendor’s website, which requires verification buying a version on the dark web via various hacking forums or using cracked, illegitimate versions of the software. In March 2020, a cracked version of Cobalt Strike 4.0 was released and made available to threat actors. Historically, Cobalt Strike use in malicious operations was largely associated with well-resourced threat actors, including large cybercrime operators like TA3546 (also known as FIN7), and advanced persistent threat (APT) groups such as TA423 (also known as Leviathan or APT40). Proofpoint researchers have attributed two-thirds of identified Cobalt Strike campaigns from 2016 through 2018 to well-resourced cybercrime organizations or APT groups. That ratio decreased dramatically the following years – between 2019 and present, just 15 percent of Cobalt Strike campaigns were attributable to known threat actors.įigure 1: Number of email messages associated with a Cobalt Strike payload observed over time. Note: 2021 figures include data through May 2021. By 2016, Proofpoint researchers began observing threat actors using Cobalt Strike. This high-profile activity was part of a clever attack chain enabling advanced threat actors to surreptitiously compromise a relatively small number of victims. The tool used, and customized to fit their needs, is almost a decade old but increasingly popular.Ĭobalt Strike debuted in 2012 in response to perceived gaps in an existing red team tool, the Metasploit Framework. In 2015, Cobalt Strike 3.0 launched as a standalone adversary emulation platform. This campaign was attributed to threat actors working for Russia’s Foreign Intelligence Service – a group with Cobalt Strike in their toolbox since at least 2018. Investigators revealed tools used by the threat actors included Cobalt Strike Beacon.
#COBALT STRIKE BEACON PERSISTENCE SOFTWARE#
In December 2020, the world learned about an expansive and effective espionage campaign that successfully backdoored the popular network monitoring software SolarWinds. When mapped to the MITRE ATT&CK framework, Proofpoint’s visibility into the attack chain focuses on Initial Access, Execution, and Persistence mechanisms. That is: How are threat actors attempting to compromise hosts and what payloads are they deploying first? Our corpus of threat actor data includes criminal and state-associated threat actor groups. Based on our data, Proofpoint assesses with high confidence that Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020. However, it is also increasingly used by malicious actors – Proofpoint saw a 161 percent increase in threat actor use of the tool from 2019 to 2020. This aligns with observations from other security firms as more threat actors adopt hacking tools in their operations. In 2021, Cobalt Strike is appearing in Proofpoint threat data more frequently than ever. Cobalt Strike is a legitimate security tool used by penetration testers to emulate threat actor activity in a network.
Cobalt Strike is currently used by more cybercrime and general commodity malware operators than APT and espionage threat actors.Threat actor use of Cobalt Strike increased 161 percent from 2019 to 2020 and remains a high-volume threat in 2021.Malicious use of Cobalt Strike in threat actor campaigns is increasing.
(Updated at the request of a third-party) Key Findings
0 kommentar(er)
