Security News > 2020 > September > We need to talk about criminal hackers using Cobalt Strike, says Cisco Talos

Penetration testing tool Cobalt Strike is increasingly being used by black hats in non-simulated attacks as traces show up in scenarios from ransomware infections to state-backed APT threats, says Cisco Talos.

Claiming that the tool "Accounted for 66 per cent of all ransomware attacks Cisco Talos Incident Response responded to this quarter," the threat intel firm reckons that both criminal hackers and pentesting security analysts' red teams alike are making great use of Cobalt Strike, especially for its ability to deploy listeners on targeted networks.

"Cobalt Strike's strength comes from the many answers it offers to difficult questions an attacker might have. Deploy listeners and beacons? No problem. Need to create some shellcode? Easy. Create staged/stageless executables? Done. Given Cobalt Strike's versatility, it's no wonder... Talos is noticing a trend for attackers to lean more upon Cobalt Strike and less upon commodity malware," said Cisco Talos senior research engineer Nick Mavis in a post.

In a detailed whitepaper Cisco Talos said it had analysed the Cobalt Strike attack framework and devised about 50 attack signatures for use with intrusion detection tool Snort and open-source antivirus engine ClamAV. Cobalt Strike's malicious uses have rather passed under the radar in the last few years, though in 2018 Talos spotted it being used by a person or persons based in China's Jiangxi province as part of a cryptojacking scam.

A joint investigation into malicious persons targeting Germany's Bundestag and Turkish diplomats uncovered Cobalt Strike in use by a crew called CopyKittens, tentatively attributing the group's geographic base to Iran.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/09/24/cobalt_strike_cisco_talos/