SentinelOne has revealed a new vulnerability in Cobalt Strike called HotCobalt. This vulnerability exists in versions 4.2 and 4.3 of Cobalt Strike and has been recorded as CVE-2021-36798. It allows defenders to identify Cobalt Strike’s beacons to talk to its Command and Control (C2) servers.
HotCobalt prevents new beacons from being installed. In a twist, it also allows for fake beacons to be used to overload the C2 server. This is useful, as defenders can now create a denial of service (DoS) response to an attack.
“This would allow an attacker to cause memory exhaustion in the Cobalt Strike server (the ‘Teamserver’) making the server unresponsive until it’s restarted. This means that live Beacons cannot communicate to their C2 until the operators restart the server.
“Restarting, however, won’t be enough to defend against this vulnerability as it is possible to repeatedly target the server until it is patched or the Beacon’s configuration is changed.
“Either of these will make the existing live Beacons obsolete as they’ll be unable to communicate with the server until they’re updated with the new configuration. Therefore, this vulnerability has the potential to severely interfere with ongoing operations.”
From legitimate software to malicious tool
Cobalt Strike started life as a tool for penetration testers. However, it has since been used by multiple groups of cybercriminals. One of the most high profile uses of Cobalt Strike was in the attack against SolarWinds.
Five weeks ago, two researchers from Proofpoint, Selena Larson and Daniel Blackford, published a look at the evolution of Cobalt Strike. They document how malicious actors have taken over the tool to launch their campaigns. Larson and Blackford write: “Proofpoint saw a 161 percent increase in threat actor use of the tool from 2019 to 2020.”
The researchers also show how it is increasingly being used to drop the initial malware payload onto victims computers. That payload then allows attackers to take control of affected machines and networks.
In a comment, Javvad Malik, security awareness advocate at KnowBe4, said: “Securing software from vulnerabilities and applying patching is not just an organisational challenge, but one that also plagues criminals, nation-states, and all those in between.
“This is an interesting vulnerability because a great deal of resources aren’t typically put into finding vulnerabilities in attack frameworks. While this can be used by organisations as part of their response, it will only be effective until a patch is created and made available.
“Ultimately, taking down bad actors or trying to attribute attacks is best left to law enforcement or other professionals. Many organisations don’t have the resources, time, or will to actively go after attackers. Doing so can result in an endless game of cat-and-mouse. So organisations should focus on preventing being breached to begin with by identifying the root causes through which they are attacked and bolstering defences where they are needed the most.”
Enterprise Times: What does this mean?
The challenge for organisations is how to defend against a legitimate software tool. Many red teams like Cobalt Strike for the same reasons that cybercriminals use it. It provides them with useful capabilities when testing an organisations security.
Sadly, HotCobalt has now been patched by HelpSystems in Cobalt Strike v4.4, which was released yesterday. That does not mean that defenders should not be trying this method to disrupt attacks. Not all cybercrime groups will have updated their tools immediately, and attacks using vulnerable versions will still be taking place.