Huge increase in threat actors using Cobalt Strike - Proofpoint research
Proofpoint cybersecurity company has released research finding a 161% increase in threat actors using the threat emulation tool Cobalt Strike.
Cobalt Strike is a legitimate security tool used by penetration testers to emulate threat actor activity in a network. But increasingly, it’s being used by malicious actors as an initial access payload and not just a second-stage tool threat actors use once access is achieved.
Criminal threat actors made up the bulk of attributed Cobalt Strike campaigns in 2020. The tool is used in a diverse array of attacks, such as the SolarWinds attack. It has unique built-in capabilities enabling it to be quickly deployed and operationalised regardless of actor sophistication or access to human or financial resources.
Proofpoint lays out some key findings in the research:
- Cobalt Strike is currently used by more cybercrime and general commodity malware operators than APT and espionage threat actors. Since 2019, only 15% of Cobalt Strike campaigns were attributable to known threat actors.
- Cobalt Strike has been observed in various attack chains alongside malware such as The Trick, BazaLoader, Ursnif, IcedID, and other popular loaders.
“Offensive security tools are not inherently evil, but it is worth examining how illegitimate use of the frameworks has proliferated among APT actors and cybercriminals alike,” says Proofpoint senior director, Threat Research and Detection, Sherrod DeGrippo.
“The use of publicly available tooling aligns with a broader trend observed by Proofpoint. Threat actors are using as many legitimate tools as possible, including executing Windows processes like PowerShell and WMI; injecting malicious code into legitimate binaries, and frequently using allowable services like Dropbox, Google Drive, SendGrid, and Constant Contact to host and distribute malware.
DeGrippo says the topic has been discussed in the information security industry for years. Threat actors across the crimeware and APT spectrum are armed fully with legitimate security tools, and teams are battling the most prepared threat actors.
“Our data shows that Cobalt Strike is currently used by more cybercrime and general commodity malware operators than APT and espionage threat actors,” she says.
“This means it has gone fully mainstream in the crimeware world. Financially motivated threat actors are now armed similarly to those financed and backed by various governments.”