It is powerful, easily modifiable for malicious use, and its wide adoption gives cyberdefenders a hard time identifying the group involved.

A good thing in the wrong hands can cause enormous damage. That also applies in cyberspace, where the Cobalt Strike (CS) framework has become something of a bogeyman.

The tool was originally created by ethical hackers to help organizations test the security of computer systems, assess security levels and analyze the response to potential attacks.

But when hackers saw the enormous potential of CS, they decided to exploit the tool for cybercrime.

CS is especially popular thanks to its versatility and an agent called ‘Beacon’ that allows hackers to gain unauthorized access; increase privilege levels; run codes remotely; and steal data or to help with cloaking, further spreading and lateral movement.

In addition, the tool can be easily modified to adjust its capabilities. A cracked pirated version is available in underground forums, and the source code for version 4.0 was leaked in late 2020. The CS people reserve the right to decide to whom they sell their framework. They avoid selling the product to cybersecurity vendors, as it is against their business interest. They also try to refrain from selling the product to Black Hat hackers, as they understand the danger.

So the cracked version is something everyone needs. Defenders and offenders. 

CS users never sleep

Hackers use a variety of techniques and attacks. Sometimes they want to be seen: they want to cause demonstrative damage, for example in Distributed Denial of Service (DDoS) attacks on websites.

Sometimes they want to distract attention from other attacks or just to test their skills, show their strength and make headlines.

On the other hand, sometimes they try to sneak through systems undetected, to arouse no suspicion, so the threat remains undetected for the maximum possible time. This is where CS comes in. It has been part of the financial and espionage campaigns of the biggest hacker groups of recent years, such as Cozy Bear, Carbanak and Hancitor. 

Even one of the most destructive botnets, Trickbot, has been using CS since 2019 for reconnaissance and further proliferation. In 2020, Trickbot even used CS to spread Anchor malware and the infamous Ryuk ransomware, which has been used, for example, in a wave of cyberattacks on hospitals, medical facilities, and other organizations around the world.

CS is also a popular component of attacks by other threats such as Bazaar, Qbot and DoppelPaymer ransomware. In short, CS is a valuable tool for a wide variety of attacks.

What can Cyber defenders do?

Analyzing all threats that use CS’s capabilities and features in one way or another, what can we infer from all the disparate scenarios uncovered by security teams? Let us see:

  • Hackers—presumably from the Chinese state-sponsored group TAG-22—used CS in the early stages of an espionage attack on telecommunications companies in Taiwan, Nepal, and the Philippines.
  • CS was also used in combination with the BIOPASS malicious code, which can spy on victims, trigger commands and gain remote access to devices, to attack Chinese online gambling companies.
  • Recently, a massive ransomware attack targeted over 200 companies using Kaseya’s systems. Kaseya now warns that hackers are trying to mimic the company in phishing campaigns and spread CS using malicious attachments or links in the guise of a ‘security update’.
  • The full list of malicious activities would be very long, but CS recently gained the most notoriety in the attack on the SolarWinds supply chain. Nine US government agencies and over a hundred private organizations were attacked, causing chaos and panic.
  • And how could it possibly be that hackers managed to escape the attention of security teams at such elite technology/consulting companies as Microsoft and Cisco and government agencies such as the US Department of Homeland Security? How is it that the attack went undetected for months and that hackers were able to get from a local network to the cloud and gain long-term access to sensitive data?

The Sunburst malware was most likely spread via an infected Orion update in February 2020. But researchers subsequently found that previously-undetected Sunspot malware had already been spread via a test platform update in October 2019. One of the tools that enabled this long-term espionage was CS. In the SolarWinds supply chain attack, two sophisticated loaders (Raindrop and Teardrop) were used to spread it.

So, we can see CS is very popular among hackers due to its popularity and wide range of customization options that make detection and investigation difficult. As individual attacks are similar, attributing campaigns to specific hacker groups is also made difficult.

Cybercrime never sleeps. When it sees an opportunity, it immediately seizes it. And it may not just be bona fide tools like CS, but also AI technologies and engines. That is why it is imperative to proactively preempt all threats before they can even penetrate a device or network.