Increased adoption of Cobalt Strike software among malicious users and hackers in the criminal underworld.

Increased adoption of Cobalt Strike software among malicious users and hackers in the criminal underworld.

Cobalt Strike, a penetration testing tool designed for testing network security vulnerabilities, has unfortunately become a preferred weapon for malicious actors and advanced persistent threat (APT) groups in significant cyber campaigns over the last couple of years.

The tool, launched in 2012, has often been associated with large criminal actors and APT groups like FIN7, APT40, and Leviathan. Cobalt Strike can execute code, giving attackers full control over the infected system, and can evade detection by endpoint detection and response (EDR) products.

The tool can be utilized for various purposes, including reconnaissance, delivering ransomware payloads, and establishing beacons for command and control, according to Daniel Petrillo. It can also be used to harvest user credentials.

Proofpoint's data suggests that Cobalt Strike is currently used more by cybercrime and general commodity malware actors than by APT and espionage threat actors. However, the use of Cobalt Strike by known threat actors has decreased significantly since 2019, according to Proofpoint researchers.

Conti and Ryuk, two notorious ransomware groups, have used Cobalt Strike to move within networks and carry out attacks. Hafnium, an APT group identified by Microsoft, has also used Cobalt Strike to launch attacks. UNC1191 (aka "Cobalt Mirage"), a group identified by Mandiant, has used Cobalt Strike to support their attacks. TA551 (Schadelloader) has used Cobalt Strike to distribute malware and infiltrate networks.

In a notable incident, the Cobalt Strike Beacon was prominently involved in the SolarWinds supply chain hack, the compromise of SITA (an IT company working with hundreds of international airlines), and the Nobelium attacks disclosed by Microsoft in May.

A campaign involving the Osiris banking trojan targeted multiple German manufacturing companies in mid-January to late January. Dozens of manufacturing companies were compromised by a Cobalt Strike framework. The campaign eventually spread to companies in the U.S. and Korea.

Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, stated that while offensive security tools are not inherently evil, the proliferation of Cobalt Strike among APT groups and criminal actors is worth reviewing. Proofpoint researchers found a 161% increase in the use of Cobalt Strike between 2019 and 2020.

This article has been updated to correct Sherrod DeGrippo's pronouns.

Read also:

• Oxidative Stress in Sperm Abnormalities: Impact of Reactive Oxygen Species (ROS) on Sperm Harm
• Is it possible to receive the hepatitis B vaccine more than once?
• Transgender Individuals and Menopause: A Question of Occurrence?
• Genetically manipulated rabbits sprout ominous black horns on their heads