Since the source code for Cobalt Strike 4.0 leaked to Github in late 2020, this powerful pentesting tool has become consistently popular for threat actors to abuse. Shared within several English and Russian-speaking forums, the code and compiled versions based on the code have maintained popularity among advanced and more sophisticated threat groups. It’s been featured in many high-profile cyber incidents, including the SolarWinds supply chain attack (December 2020), Colonial Pipeline (May 2021), and fake security updates capitalizing on the Kaseya attack (July 2021).
Figure 1: A Russian forum user sharing a link to a coding repository with the alleged leaked source code for Cobalt Strike version 4.0.
The availability of the source code significantly lowered the barrier to entry for the tool’s utilization, as actors could use it without needing to procure a license. These events likely impacted an increase in underground forum mentions of the tool, increasing by 37% between 2020 and 2021 (Figure 2).
Figure 2: Underground forum mentions of Cobalt Strike over the previous three years.
Why is Cobalt Strike so popular?
Cobalt Strike, created in 2012, is a commercial tool designed to simulate tactics and techniques used by threat actors. The capabilities that span different stages of an attack cycle make it attractive to malicious actors. One of the unique aspects includes the Cobalt Strike Beacon, a configurable and modular post-exploitation backdoor that uses custom plug-ins and utilizes various evasion techniques to communicate with the C2C server.
Other core features of Cobalt Strike include network reconnaissance tools to identify a target’s products and map their vulnerabilities, include social engineering tools such as to craft phishing emails; pre-built exploits for vulnerabilities, customizable payloads; post-exploitation tools to maintain access, conduct lateral movement, and escalate privileges; and exfiltration tools.
Cobalt Strike on the Underground: Easily Available
The tool’s attractiveness to threat actors is also due to its availability. There are several ways in which threat actors can get access to the toolset, directly from the official developers (currently starting at $5,900 - and not in bitcoin) or through purchasing a “legitimate” license on the underground (Figure 3). Since the source code was leaked, actors can also download a cracked version for free (Figure 4), purchase specialized cracked versions (Figure 5), or consume the raw source code (Figure 6).
Figure 3: A threat actor on an underground forum offering to sell their Cobalt Strike license
Figure 4: A threat actor sharing a link to download a cracked version of Cobalt Strike
Figure 5: A threat actor selling a cracked version of Cobalt Strike with additional attack kits
Figure 6: A threat actor sharing source code for Cobalt Strike on an underground forum.
The Community around Cobalt Strike
The spread of specific hacking tools can often relate to the ease at which information is available on how to use it, which can reduce the barrier to entry for some threat actors. The underground can serve as a knowledge base, with forum users mutually benefiting each other with guidance, providing best practices to build reputation, and then potentially turning to one other for recruitment.
In this example, a threat actor is seeking recommendations on employing Cobalt Strike better while evading detection.
Figure 7: A forum user asking for assistance related to Cobalt Strike
Some threads share troubleshooting issues with Cobalt Strike, whereas other forum users offer suggestions.
Figure 8: A threat actor doing some Cobalt Strike troubleshooting on an underground forum
With interest around the tool on the underground, this threat actor advertises looking to recruit people with experience in Cobalt Strike and maintaining differing payloads and builds.
Figure 9: A threat actor seeks a partner who is proficient in Cobalt Strike
Conclusion
Cybercriminals utilizing legitimate tools for illicit activities are heavily documented on the underground, where threat actors commonly seek best practices and technical know-how. To constantly evolve and adapt new tactics, creativity is a must - something that Cobalt Strike offers with its modular capabilities, customizations, and ability to integrate with or deliver RATs, credential stealers, ransomware, and more. Oddly enough - threat actors seek what most IT and security teams often want - the ability to integrate multiple toolsets, and Cobalt Strike has this flexibility.
With this in mind, organizations can mitigate the risks of Cobalt Strike by patching vulnerabilities and keeping software up to date, monitoring network traffic, implementing MFA and network segmentation, and having a layered defense strategy.
Cybersixgill can help you assess, measure, prioritize, and address emerging threats.