Since 2012, Cobalt Strike has been used as a proactive way to test network defenses against advanced tools, tactics, and procedures (TTPs) from threat actors. The goal, of course, is to mimic the most malicious threat actors and their techniques to test your security posture and practice response procedures. Unfortunately, like most things in security, the tools and knowledge intended to help security teams can also be used maliciously by criminals.
Over the past three years, malicious threat actors have successfully cracked full-featured versions of Cobalt Strike and made them widely available on dark web markets and forums. For example, on March 22, 2020, the latest version of the tool was decrypted and provided to hackers. Infocyte has seen it widely used to infiltrate and move laterally through networks, and depending on the value placed on a given company’s data, ransomware is removed. Infocyte has noticed a steady upward trend of this cracked version as a primary methodology by threat actors from early 2019 to the present.
Cobalt Strike is a favorite because it is stable and very flexible. It can be reused to deploy all kinds of payloads, such as ransomware or keylogger, on the compromised network. It is well organized and provides a framework for managing compromised assets. Basically, this tool helps ‘list B’ to act like ‘list A’ hackers. While the author of Cobalt Strike has implemented many protections and licensing schemes to keep the code out of the wrong hands, the cracked versions seem to use the entire framework of the solution. This means that threat actors have access to networks, can rotate, and then move laterally within the network.
A one-year license of Cobalt Strike costs around US $ 3,500 per user. The license renewal cost is approximately US $ 2,500. However, cybercriminals often use trial or decrypted versions of this tool or even find ways to access a commercial copy of the software. Looking at the wide range of capabilities, there is little doubt why hackers prefer Cobalt Strike over working on a custom toolkit. To identify a Cobalt Strike implementation and stay protected, experts recommend several techniques that involve finding the open port at 50050 / TCP or checking the vendor’s default TLS certificate.
Also check:
Tox is a tool used to create ransomware
Services most used by Phishing
