Search This Blog

Showing posts with label Cobalt Strike. Show all posts

Linux Implementation of Cobalt Strike Beacon Employed by Hackers in Attacks Worldwide

 

Security experts have detected an unauthorized version of the Cobalt Strike Beacon Linux created by malicious attackers that are actively utilized to attack organizations worldwide. Cobalt Strike is a legal penetration testing tool built for the red-team attacking infrastructure (security organizations that function as attackers to detect the security and flaws in the infrastructure of their org). 

Cobalt Strike is often utilized for post-exploitation duties by malicious attackers (often dropped in ransomware campaigns) following the planting of so-called beacons that give permanent remote access to affected machines. Employing beacons, attackers may access compromised servers for the collection of data or distribute additional payloads of malware afterward. 

Over time, the cybercriminals acquired split copies of the Cobalt Strike and circulated this as one of the most prevalent instruments of cybersecurity threats culminating in theft and extortion of information. Cobalt Strike, however, has always had a problem - it enables only Windows devices and therefore does not contain Linux beacons. 

Further, as per a new analysis by the security company Intezer, scientists describe exactly how the threat actors have chosen to construct their cobalt strike-compatible Linux beacons. Malicious actors may now maintain and execute remote control over both Windows and Linux devices by utilizing these beacons. 

The undiscovered variant — dubbed "Vermilion Strike" — of the penetration testing program is one of the uncommon Linux ports, typically a Windows-based red team instrument which is heavily used by opponents to launch a range of specific attacks. As a threat simulation software, Cobalt Strike claims to be Beacon's payload designed to simulate a sophisticated actor and to double their post-exploitation behaviors. 

"The stealthy sample uses Cobalt Strike's command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands, and writing to files," Intezer researchers said in a report. 

Once installed, the malware starts the operation in the background, decoding the required configuration for the beacon to operate effectively just before the fingerprint identification of the Linux-compromised device and communicating to a remote server via DNS or HTTP to recover base64 encoded and AES-encrypted commands, to write files and upload them back to the webserver. 

"Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets to navigate the existing environment," the researchers said.

TrickBot Employs Bogus 1Password Installer to Launch Cobalt Strike

 

The Institute AV-TEST records around 450,000 new critical programmings (malware) every day with several potentially unwanted applications (PUA). These are thoroughly examined by their team under characteristic parameters and classified accordingly. 

Malware is a networking-generated file or code that infects, scans, exploits, or practically performs any activity that an attacker desires. 

One such prevalent malware is Trickbot which was first seen in 2016. Trickbot has established itself in cyberspace as a modular and multipurpose malware. The Trickbot operators initially focused on bank credential theft operations and then expanded their skills to attack several industries. With further advancements Trickbot came to light for its participation in ransomware attacks, using Ryuk and Conti malware. 

Recently, it has been found that Trickbot employs a technique for installing a bogus "1Password password manager" to corrupt and collect data on the victim's PC. The first way to accomplish this is with a password-protected Microsoft Word or Excel archive file with macros, that will compromise the targeted device if activated. For criminals to accumulate information about several network computers, a bogus 1Password file installer with the title "Setup1.exe" is also commonly used to launch the Cobalt Strike. 

1Password is an AgileBits Inc. developed password manager. It offers users a place in the digital void that is secured with the master password of the PBKDF2, to hold several passwords, Software licenses, and additional confidential material. 

In the regard, the DFIR Report states, “The Trickbot payload injected itself into the system process wermgr.exe — the Windows process responsible for error reporting. The threat actor then utilized built-in Windows utilities such as net.exe, ipconfig.exe, and nltest.exe for performing internal reconnaissance. Within two minutes of the discovery activity, WDigest authentication was enabled (disabled by default in Windows 10) in the registry on the infected host. This enforces credential information to be saved in clear text in memory. Shortly after applying this registry modification, the LSASS process was dumped to disk using the Sysinternals tool ProcDump.” 

This same bogus installer also eliminates a file that enables the execution of the Cobalt Strike (CS) shellcode and hence receives CS beacons. As the program allows unauthorized connection to victim systems, PowerShell commands are being used to gather data about victim PCs, such as their “anti-virus state”. 

Cobalt Strike is a commercial penetration test framework that helps an agent called 'Beacon' to be deployed by an attacker on the victim's network. Beacon has a wide range of functions including command execution, keylogging, data transfer, SOCKS proxy, privilege scale, port scanning, and lateral movement. 

Meanwhile, as the researchers highlighted, the acquired material was not exfiltrated and the group's motifs remain uncertain. If more advancements are noted in the near future, they will continue to update everyone on it, said the researchers. 

Consequently, researchers in cybersecurity must look for approaches to make sure that their customer facilities are secure from these techniques, as the gang can restart an attack on other networks anytime.

Detecting Cobalt Strike: Cybercrime Attacks

 

One of the latest researches revealed that cybercriminals who employ malware often use the Cobalt Strike tool to release multiple payloads after checking a compromised network. Cobalt Strike is paid penetration testing software that provides access to cyber attackers to execute an agent named 'Beacon' into the system of targeted personality. 

Cobalt Strike sends out beacons to detect network vulnerabilities which then deliver malware to create fake command-and-control (C2) profiles that appear genuine. Beacon provides so many functions to the attackers including, keylogging, SOCKS proxying, file transfer, privilege escalation, port scanning, mimikatz, and lateral movement. 

Cobalt Strike comes with a toolkit for developing shellcode loaders, named Artifact Kit. The Cobalt Strike tool kit is used by both parties including the security community as well as cybercriminals. 

Secureworks Counter Threat Unit (CTU) researchers’ team conducted an investigation on the use of Cobalt Strike to get information like when and how the tool has been used by the threat actors. The acquired information will work in favor of organizations to secure their systems against threat actors. 

Having a comprehensive understanding of the threat actor's end goal is essential while trying to secure the system. For instance, the financially motivated GOLD LAGOON cybercriminals group employs the Qakbot botnet to drop Cobalt Strike into the victims’ machine. CTU researchers team learned that GOLD LAGOON is executing Cobalt Strike to Qakbot-infected hosts that are often identified as members of an Active Directory domain. The group that has been active since 2007 also facilitates other cybercriminal groups that drop various ransomware families in compromised networks. 

The early detection of compromised interwork helps cybersecurity communities to recover or fix the victims’ system as soon as possible as highlighted by two similar incidents. 

In the first event, Secureworks incident responders helped the victim recover from a REvil ransomware attack. In the second incident, Secureworks Taegis™ XDR countermeasures detected and alerted the malicious Qakbot and Cobalt Strike activity into the system that enabled network protectors to mitigate the intrusion before the ransomware was deployed. However, the presence of illegal Cobalt Strike versions on the dark web gives chances to threat actors to misuse it.

Latest Cobalt Strike Vulnerability Allows Takedown of Hacker Servers

 

Cybersecurity experts have found Cobalt Strike (DoS) exploit that allows Beacon blocking C2 (Command and Control) communication deployments and new channels. Cobalt Strike is a genuine penetration testing tool built to work as an attack framework by red teams. Red team is a group of cybersecurity analysts that work as threat actors to attack their own organization's to find security vulnerabilities and exploits. But, Cobalt Strike is also used by hackers, that generally use it for post-hacking tasks after planting the beacons, which allows them unlimited remote access to hacked devices. With the help of these beacons, the threat actors can later use the compromised servers to deploy second-stage malware payloads or harvest data. 

The cybersecurity team at SentinelOne, SentinelLabs found about the DoS vulnerabilities, termed as CVE-2021-36798 and called "Hotcobalt" in the most recent versions of the Cobalt Strike server. SentinelLabs reports "when a Beacon stager runs, it gathers information about the computer it is running on (CPU architecture, keyboard layout, internal IP, etc.), encrypts that info using the public key, and sends it to the server in an HTTP GET request. Receiving tasks generally happens over HTTP GET requests and the Beacon replies with the task data over HTTP POST requests. Tasks are encrypted using an AES key sent by the Beacon in the registration request." 

The research revealed that one can plant fake beacons with a particular Cobalt Strike server installations by giving out fake tasks or screenshots with high file sizes to the server. The hacker could crash the server and exhaust available memory using the help of this process. The crashed server renders pre-installed beacons, not being able to communicate with the C2 servers, it restricts new beacons from getting installed on compromised systems. 

Besides this, it also interferes with the red team and malicious attacks which used the planted beacons. "One of the most famous features of Cobalt Strike is its Malleable C2. In short, this feature lets the attacker encode (“transform” in Cobalt’s language) all the beacon’s HTTP communications. The entire process described above is wrapped in the chosen Malleable profile’s transformation steps, which are also embedded in the stager itself," said SentinelLabs in its blog.