Security News

The main components of the security tool are the Cobalt Strike client - also known as a Beacon - and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific "Malleability" customizations, such as how often the client is to report to the server or specific data to periodically send.

If you're a regular reader of Naked Security and Sophos News, you'll almost certainly be familiar with Cobalt Strike, a network attack tool that's popular with cybercriminals and malware creators. By implanting the Cobalt Strike "Beacon" program on a network they've infiltrated, ransomware crooks can not only surreptitiously monitor but also sneakily control the network remotely, without even needing to login first.

Security researchers have discovered Cobalt Strike denial of service vulnerabilities that allow blocking beacon command-and-control communication channels and new deployments. Cobalt Strike is also used by threat actors for post-exploitation tasks after deploying so-called beacons, which provide them with persistent remote access to compromised devices.

A malware spam campaign is milking the Kaseya ransomware attacks against its Virtual System/Server Administrator platform to spread a link pretending to be a Microsoft security update, along with an executable file that's dropping Cobalt Strike, researchers warn. While Malwarebytes hasn't determined what threat actors are behind the Kaseya-themed malspam campaign, Segura said that the fake security update - the Cobalt Strike payload - is, interestingly enough, hosted on the same IP address used for another campaign pushing the Dridex banking trojan.

Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates. Cobalt Strike is a legitimate penetration testing tool and threat emulation software that's also used by attackers for post-exploitation tasks and to deploy so-called beacons that allow them to gain remote access to compromised systems.

Analyzing the illegitimate use of Cobalt Strike, Proofpoint said it found that the tool is increasingly being used by attackers as an initial access payload, meaning it's enlisted to deploy the initial malicious payload onto victimized machines. This is a change from past instances when Cobalt Strike was used more as a second-stage tool that played a role once the targeted systems had already been accessed.

The use of Cobalt Strike - the legitimate, commercially available tool used by network penetration testers - by cybercrooks has shot through the roof, according to Proofpoint researchers, who say that the tool has now "Gone fully mainstream in the crimeware world." "Based on our data, Proofpoint assesses with high confidence that Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020," the researchers wrote.

Cobalt Strike is an Adversary Simulation and Red Team Operations tool that allows organizations to simulate advanced attacks and test their security stacks in a close-to-real-world simulation. A new research webinar from XDR provider Cynet offers a better look at Cobalt Strike.

Cobalt Iron announced that it has been granted a patent on its technology for dynamic authorization control based on conditions and events. Issued on May 4, U.S. patent #10999290 describes new capabilities for Cobalt Iron Compass, an enterprise SaaS backup platform, that enable the use of analytics and machine learning to adjust user authentication and access to IT resources dynamically based on a variety of environmental and operational considerations.

Cobalt Iron announced that its Compass enterprise software-as-a-service backup platform now enables seamless management of Google Cloud Platform virtual machine snapshots. Through this new capability, Compass users are able to manage backup retentions and schedules for GCP VM snapshots using the Compass Commander GUI, the same interface with which they manage their enterprise backups.