If every second hack seems to involve malicious use of penetration testing tool Cobalt Strike, it’s not just your imagination.
Russian hackers deployed Cobalt Strike’s command-and-control function during their attack against SolarWinds’ network management software. Hackers who earlier this year got into Cisco corporate IT infrastructure used the tool. The first thing the threat actor behind the Emotet malware does after an initial infection is to download Cobalt Strike onto compromised endpoints.
The number of organizations affected by a hack involving Cobalt Strike now number in the tens of thousands each year, says the Department of Health and Human Services in a new warning to the healthcare sector.
The Conti ransomware group values access to Cobalt Strike so much that it paid a legitimate company $30,000 to secretly buy licenses for it, cybersecurity reporter Brian Krebs wrote in March.
The company did not immediately respond to Information Security Media Group’s request for comment, but its popularity among hackers is no secret. “Its built-in capabilities enable it to be quickly deployed and operationalized regardless of actor sophistication or access to human or financial resources,” said cybersecurity company Proofpoint in a 2021 report.
The penetration testing tool, whose legitimate user base consists of white hat hackers, is being abused “with increasing frequency” against many industries, including the healthcare and public health sector, by ransomware operators and various advanced persistent threat groups, HC3 writes.
