Automated Cyber Weapons: The Cobalt Strike Bug, And The Dangers of Automation

What if you could temporarily shut down a botnet attack by replying with a Denial of Service (DoS) attack? Security researchers at SentinelOne recently discovered a bug found in the post-exploitation penetration testing software called Cobalt Strike. The bug can trigger a DoS attack on the command and control (C2) team server, which is a component of the software. This in turn overloads its memory and forces it to a grinding halt until restarted by the attacker. Simply put, the bug can trigger a DoS response.


With the bot unable to communicate with the C2 server, this can prevent new beacons from being uploaded by the attacker. In other words, when this bug is exploited, any operations being performed by the intruder will be temporarily shut down. Additionally, Denial of Service vulnerabilities appear in versions 4.2 and 4.3 of Cobalt Strike’s server (CVE-2021-36798). What this means is that it is possible for security researchers and Incident Response teams using Cobalt Strike to force-shut-down threat actors who are using the same software against them.


However, as interesting as this hypothetical scenario might appear, such a bug is a double-edged sword. Simply put, threat actors can exploit the same bug and trigger DoS attacks directed at cybersecurity groups with the same software used in Red Team testing.


Combating the deluges of threat actors and their arsenal of cyberweapons can be a tedious job that oftentimes is tit for tat, a relationship between defensive and offensive strategies, and a blow-for-blow battle for supremacy over a protected network.


It isn’t uncommon for threat actors to get their hands on powerful hacking toolkits used by Red Team testers, which are designed to streamline penetration testing techniques and can also feature more efficient functionalities than the programs found in open source communities or off-the-shelf pentesting software suites.


Ironically, years ago I, myself used to be a part of this illicit category when I managed to obtain a copy of a very powerful Denial of Service stress-testing tool used by advanced pentesting teams, along with a stolen key generator, which, in many ways proved more useful than most botnets that I had experience working with.


What Is Cobalt Strike?


In the same vein, Cobalt Strike is a genuine, commercially available post-exploitation threat emulation software designed for Red Team operations. Consequently, it has become quite popular among cybercriminals and various advanced persistent threat (APT) actors such as APT41 and APT32 to name a few. The software was also instrumental in the Solar Winds supply chain attack seen last year, according to a report published by Proofpoint.


The primary peripherals of the Cobalt Strike framework consist of client and server functions such as the Cobalt Strike client - also called a beacon, and the Cobalt Strike team server. The beacons are payloads that are sent out or distributed with the purpose of identifying network vulnerabilities.


When a computer system has been installed with a beacon, it allows a user to connect to it using the team server and send instructions to the machine and return information back to the tester. Needless to say, threat actors ultimately found a way to abuse the software. If we take a moment to change the semantics of this narrative, when this penetration testing product is abused by malicious operators, its usage encompasses a broad range of capabilities such as command execution, keylogging and silent extraction of stolen data, file transfer, SOCKS proxying, and any kind of lateral movement across a network. You can also upload malware payloads, and create fictitious C2 profiles which appear authentic and can sneak past detection.

After a computer system has been compromised by whatever means, the threat actor then uploads the beacon and connects to it with the Cobalt Strike team server, assuming full control over the infected machine. This would allow a threat actor to assume control over a multitude of machines, and to be able to send instructions to any of them from a single command and control server.


It is expected that any kind of software that has proven its merits through efficiency is going to attract a diverse user base with various motives, from governments and elusive nation state-sponsored APT groups, Red Teamers, hacktivists and of course, the ubiquitous cybercriminal. But what if a bug was discovered in the very software being used by a malicious threat actor that could be used to leverage an attack?


Additionally, this year researchers at Proofpoint reported that they trailed a year-over-year escalation of 161% in the number of cyberattacks where Cobalt Strike was illegitimately weaponized by threat actors who targetted tens of thousands of organizations. The sharp increase occurred between 2019 and 2020. Interestingly, the report also detailed that the software is being used more by common cybercriminals and general malware operators than by advanced persistent threat APT actors or individuals who choose general malware. Why?


“I'm guessing [threat actors] find it useful because it has powerful attack automation methods. So, even unskilled hackers working for foreign govs can use it to help them pull off pretty impressive hacks,” said former black hat Matthew Telfer aka MLT, who’s now a cybersecurity analyst, bug bounty hunter and exploit developer. “Basically, it allows relatively unsophisticated threat actors with minimal experience to pull off sophisticated hacks that usually would only be done by experienced hackers.”


Automation: A Blessing And A Curse


Automation simplifies broad and complicated tasks that are known and executed by seasoned cybersecurity experts. It provides a convenience to help experts perform tasks more efficiently, which in turn limits the amount of time spent executing the tasks manually. Since not everyone in cybersecurity has the same experience or function in the industry, consider the following perspective. Imagine having turn-key automation of some of the most powerful exploits that were written by a select few exploit-writing wizards, suddenly being available to just anybody who could get their hands on it. All it would take is some common googling and the threat actor is then armed and ready to deploy some pretty sophisticated software.


While simplifying tasks is important for cybersecurity experts, it is also important to threat actors, namely, those who lack the knowledge and skill to perform the same sophisticated tasks without the benefit of automation software. In fact, according to a new, and somewhat unsurprising analysis published by Barracuda Networks, cybercriminals are increasingly utilizing automation tools to launch their attacks.


The underlying issue isn’t automation. It is actually about hardening products and increasing protection within. While Cobalt Strike users are required to register and purchase a one-year $3,500 license in order to acquire a key, I ended up stumbling upon a cracked version of the software right here on the clearnet without having to lurk through some backend server within the recesses of the darkweb. When it's that easy to get your hands on some of the world's top heavy-hitting cyber tools, it's nothing short of frightening.


An article by

Jesse McGraw


Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!


130 views0 comments