Cobalt Strike: From Pentesting to the Hacker’s Toolkit

To begin this post on the dangers of Cobalt Strike, it is necessary to clarify some terms. First of all, ‘pentest’ is short for penetration test. It is an authorized, simulated cyberattack on a network for the purpose of finding vulnerabilities that may exist in that network. Those who perform this service are called, ‘pentesters’. A team of pentesters is sometimes referred to as a ‘red team’ and they perform ‘red team operations’ or ‘adversary simulations’. Their job is to simulate, as closely as possible, an attack on a network by an adversary. The operators of the network will, in such cases, be pleased if their networks are compromised because they can then repair them.

Pentesters use a variety of pentesting tools called, ‘threat emulation software’. Among the most useful of these tools is one called, Cobalt Strike. It is marketed as a ‘network attack kit’ and can be bought by any interested individual. The price is $3,500 per user, per year. The price comes with a complete course which will show the customer how to use the software.

Notice that such a course is no different from training a hacker in how to hack. Here are the topics that will be addressed with a brief description of their purposes.

Operations – How to set up a server for your operations.

Infrastructure – mapping the network; setting up beacons to send information back to the user

C2 – establishing a command and control (C2) center

Weaponization – designing a payload that will deliver an exploit

Initial Access – designing and delivering a spearphishing email

Post Exploitation – what to do after having the exploit installed on a network

Privilege Escalation – moving from standard user rights to administrative rights; harvesting credentials

Lateral Movement – The Cobalt Strike website defines this as “abusing trust relationships to attack systems in an enterprise network”. (Pretending to be someone else to move to new areas of a network)

 Pivoting – compromising other computers that communicate with the network.

It really is not that surprising that hackers would be interested in getting their hands on this tool kit. They may find the price a bit steep but the code for the package has apparently been released for free online. There are also free, cracked versions available. They may be older versions but they’d serve their purpose in most instances.

The developers of Cobalt Strike really don’t care who buys their product. They are a business after all. Therefore, its popularity among hacking teams and government affiliated hacking groups is unrivaled. Here are some facts from a report by Recorded Future.

The situation seems to be worsening in 2021. Here are some recent attacks using Cobalt Strike that were noted by the Malware Traffic Analysis website.

A report on Cobalt Strike by Red Canary, states that “Cobalt Strike is so common and reliable that adversaries create their own custom tooling to simply deploy the payloads, knowing that they will likely succeed if they can just get the payload past security controls. This capability demonstrates how Cobalt Strike fits into the threat model for nearly any organization.” On the positive side, this report gives some ways to detect if Cobalt Strike elements are being used to compromise your network. This is especially important since Cobalt Strike is often used by ransomware gangs to map a network and find vulnerabilities before the actual attack begins.

As can be seen in the chart above, government-linked hacking groups such as APT41 and Mustang Panda, both operating out of China, are among Cobalt Strike’s biggest fans. Cobalt Strike was used in both the SolarWinds attack and the more recent attacks on Microsoft. Microsoft has tied these attacks to a Russian hacking group they call, Nobelium. As you might guess, this group created a sophisticated attack that employed Cobalt Strike in its architecture. Here is the way these attacks are organized.

Not surprisingly, the attack begins with a spearphishing email. The email, which will appear to be from a valid contact, will contain a link. When the victim follows the link, a JavaScript program within the HTML writes an ISO file to the victim’s computer. The victim is, then, encouraged to open this file. Doing so makes the ISO file appear similar to an external drive. This is where Cobalt Strike will install a beacon.

This and other attacks with Cobalt Strike will continue to occur. That’s just a fact. The Nobelium group and ransomware groups just wouldn’t be as effective without it. But it is possible to subvert these attacks with some vigilance. Here are some of the current indications of a compromised network given by Microsoft.

Microsoft goes on to say that “Microsoft security researchers assess that the NOBELIUM’s spear-phishing operations are recurring and have increased in frequency and scope. It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.” In other words, prepare yourself for some major cyber attacks.

Many pentesting tools are used by hackers and many of these are free. It’s the widespread use of Cobalt Strike that is so troubling. Also of concern is its growth in popularity, especially among government-connected hacking groups. Some may wonder why Cobalt Strike isn’t simply banned or their website taken down. But, like it or not, it has its place in securing networks. You can’t ban something just because there are people who will misuse it. If that were the case, guns, knives, and even cars would be banned.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s