Security News > 2021 > June > Cobalt Strike Usage Explodes Among Cybercrooks
The use of Cobalt Strike - the legitimate, commercially available tool used by network penetration testers - by cybercrooks has shot through the roof, according to Proofpoint researchers, who say that the tool has now "Gone fully mainstream in the crimeware world."
"Based on our data, Proofpoint assesses with high confidence that Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020," the researchers wrote.
Just like Metasploit before it, Cobalt Strike quickly got picked up and retrofitted by threat actors: By 2016, Proofpoint researchers were watching Cobalt Strike being used in cyberattacks.
Proofpoint said that the chart below makes it look like the number of threats containing Cobalt Strike have dipped, but in year-over-year data, researchers have seen more campaigns associated with Cobalt Strike between January and June 2021 than January to June 2020.
New Cobalt Strike licenses cost $3,500 per user for a one-year license, according to Cobalt Strike's website.
Sherrod DeGrippo, Proofpoint senior director of threat research and detection, told Threatpost that offensive security tools such as these and Cobalt Strike aren't "Inherently evil," but it's still worth examining "How illegitimate use of the frameworks has proliferated among APT actors and cybercriminals alike."