Update: Stopping Cybercriminals from Abusing Cobalt Strike
Summary:
The misuse of Cobalt Strike, a legitimate adversary simulation tool, has significantly decreased over the past two years, according to its developer, Fortra. While initially designed for security penetration testing, cybercriminals and state-sponsored threat actors have exploited cracked versions of the tool to target critical sectors like healthcare with ransomware and other malware. In response, Fortra partnered with Microsoft and Health-ISAC in 2023 to disrupt the abuse, leading to the takedown of nearly 600 Cobalt Strike servers by Europol in 2024. As a result, unauthorized copies of the tool have dropped by 80% in the past two years, with over 200 malicious domains seized and sinkholed to prevent further exploitation.
Security Officer Comments:
Although efforts by Fortra and its partners have limited the use of cracked versions of Cobalt Strike, threat actors have quickly turned to alternative tools like Sliver as a replacement to continue their malicious activities. Sliver, an open-source command-and-control framework released in 2020 by security firm Bishop Fox, was originally designed for security teams and penetration testers to assess their digital environments. However, in recent years, it has become a popular choice among attackers and advanced persistent threat groups, who use it for nefarious purposes. Notably, Sliver has been observed in combination with Rust-based malware strains, such as KrustyLoader, to establish backdoor access and maintain communication with malicious C2 servers. It has also been used to exploit zero-day vulnerabilities, including critical flaws in Ivanti Connect Secure and Policy Secure services.
Suggested Corrections:
Fortra reports that the average dwell time—the time between initial detection and takedown—has been reduced to less than one week in the United States and under two weeks globally. The company emphasizes that its efforts to combat the misuse of Cobalt Strike continue, including collaborating with law enforcement, issuing takedown notices to hosting providers, and raising awareness about the illegal use of unauthorized Cobalt Strike copies.
Link(s):
https://www.cobaltstrike.com/blog/update-stopping-cybercriminals-from-abusing-cobalt-strike
The misuse of Cobalt Strike, a legitimate adversary simulation tool, has significantly decreased over the past two years, according to its developer, Fortra. While initially designed for security penetration testing, cybercriminals and state-sponsored threat actors have exploited cracked versions of the tool to target critical sectors like healthcare with ransomware and other malware. In response, Fortra partnered with Microsoft and Health-ISAC in 2023 to disrupt the abuse, leading to the takedown of nearly 600 Cobalt Strike servers by Europol in 2024. As a result, unauthorized copies of the tool have dropped by 80% in the past two years, with over 200 malicious domains seized and sinkholed to prevent further exploitation.
Security Officer Comments:
Although efforts by Fortra and its partners have limited the use of cracked versions of Cobalt Strike, threat actors have quickly turned to alternative tools like Sliver as a replacement to continue their malicious activities. Sliver, an open-source command-and-control framework released in 2020 by security firm Bishop Fox, was originally designed for security teams and penetration testers to assess their digital environments. However, in recent years, it has become a popular choice among attackers and advanced persistent threat groups, who use it for nefarious purposes. Notably, Sliver has been observed in combination with Rust-based malware strains, such as KrustyLoader, to establish backdoor access and maintain communication with malicious C2 servers. It has also been used to exploit zero-day vulnerabilities, including critical flaws in Ivanti Connect Secure and Policy Secure services.
Suggested Corrections:
Fortra reports that the average dwell time—the time between initial detection and takedown—has been reduced to less than one week in the United States and under two weeks globally. The company emphasizes that its efforts to combat the misuse of Cobalt Strike continue, including collaborating with law enforcement, issuing takedown notices to hosting providers, and raising awareness about the illegal use of unauthorized Cobalt Strike copies.
Link(s):
https://www.cobaltstrike.com/blog/update-stopping-cybercriminals-from-abusing-cobalt-strike