Microsoft on Wednesday disclosed details of a targeting phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems. "These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders," Microsoft Threat Intelligence Center said in a technical write-up.
Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that's actively set its sights on government, telecommunications, information technology, and financial institutions in the wild. The as-yet undetected version of the penetration testing tool - codenamed "Vermilion Strike" - marks one of the rare Linux ports, which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks.
An unofficial Cobalt Strike Beacon Linux version made by unknown threat actors from scratch has been spotted by security researchers while actively used in attacks targeting organizations worldwide. Cobalt Strike is also used by threat actors for post-exploitation tasks after deploying so-called beacons, which provide persistent remote access to compromised devices.
The main components of the security tool are the Cobalt Strike client - also known as a Beacon - and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific "Malleability" customizations, such as how often the client is to report to the server or specific data to periodically send.
If you're a regular reader of Naked Security and Sophos News, you'll almost certainly be familiar with Cobalt Strike, a network attack tool that's popular with cybercriminals and malware creators. By implanting the Cobalt Strike "Beacon" program on a network they've infiltrated, ransomware crooks can not only surreptitiously monitor but also sneakily control the network remotely, without even needing to login first.
Security researchers have discovered Cobalt Strike denial of service vulnerabilities that allow blocking beacon command-and-control communication channels and new deployments. Cobalt Strike is also used by threat actors for post-exploitation tasks after deploying so-called beacons, which provide them with persistent remote access to compromised devices.
A malware spam campaign is milking the Kaseya ransomware attacks against its Virtual System/Server Administrator platform to spread a link pretending to be a Microsoft security update, along with an executable file that's dropping Cobalt Strike, researchers warn. While Malwarebytes hasn't determined what threat actors are behind the Kaseya-themed malspam campaign, Segura said that the fake security update - the Cobalt Strike payload - is, interestingly enough, hosted on the same IP address used for another campaign pushing the Dridex banking trojan.
Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates. Cobalt Strike is a legitimate penetration testing tool and threat emulation software that's also used by attackers for post-exploitation tasks and to deploy so-called beacons that allow them to gain remote access to compromised systems.
Analyzing the illegitimate use of Cobalt Strike, Proofpoint said it found that the tool is increasingly being used by attackers as an initial access payload, meaning it's enlisted to deploy the initial malicious payload onto victimized machines. This is a change from past instances when Cobalt Strike was used more as a second-stage tool that played a role once the targeted systems had already been accessed.
The use of Cobalt Strike - the legitimate, commercially available tool used by network penetration testers - by cybercrooks has shot through the roof, according to Proofpoint researchers, who say that the tool has now "Gone fully mainstream in the crimeware world." "Based on our data, Proofpoint assesses with high confidence that Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020," the researchers wrote.