Cobalt Strike, a legitimate security tool, has shown up 161 percent more in terms of cyberattacks in the past year. Researchers say it has “gone fully mainstream in the crimeware world.”
Cobalt Strike, first introduced in 2010, is a useful legitimate software popular with network pentesters. But it has become a dangerous tool in the hands of cybercriminals wanting to infiltrate networks.
According to Proofpoint security company, they’ve tracked the growth of Cobalt Strike since its source code was leaked in November 2020. The number of real-world attacks that have been attributed to the Cobalt Strike has increased year-over-year and by about 161 percent in 2019-2020, according to Proofpoint’s report published today.
The researchers said they witnessed the tool being used to target thousands of organizations. They also noted that the tool is favored by cybercriminals and general-commodity malware operators, more so than by advanced persistent threat (APT) groups.
Researchers use Cobalt Strike as a network security tool, sending out beacons to detect and report network vulnerabilities and for simulating attacks.
But threat actors like it for its ability to exfiltrate data, deliver malware, and create fake command-and-control (C2) profiles.
In 2020, the bulk of the Cobalt Strike campaigns were conducted by criminal actors and not researchers, Proofpoint said.
Proofpoint isn’t the only security who documented the rise of Cobalt Strike. In Jan 2021, researchers at Recorded Future reported a spike in the use of cracked or trial versions of Cobalt Strike carried out by such APT groups as APT41, Mustang Panda, Ocean Lotus, and FIN7.
Proofpoint researchers say that attackers are increasingly using Cobalt Strike as an initial access payload, and not a tool that is used after an attacker has already gained access to a network.
According to a report by Proofpoint, besides Initial Access, the company has observed Cobalt Strike used in attack chains during Execution and Persistence.
“Based on our data, Proofpoint assesses with high confidence that Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020,” the researchers wrote.
