Campaign against Cobalt Strike malware progressing

But SMEs are on their own

The use of the law to shut down malicious use of Cobalt Strike is progressing apace, but for now, small businesses are on their own.

In March 2023, the U.S. District Court for the Eastern District of New York allowed Microsoft, Fortra, and Health-ISAC to disrupt criminal activity using cracked copies of Fortra’s Cobalt Strike security software. Since then the three organizations have made a significant dent in the activity. The efforts have detected malicious infrastructure in China, the United States, and Russia and identified threat actors acting in the interests of foreign governments, including Russia, China, Vietnam, and Iran.

“Now the most recent update is just over 30% drop in daily observed abuse of traffic,” said Fortra’s Bob Erdman, associate VP of research and development. “The action has shifted really towards the places that aren’t so friendly with the US law enforcement. Even so … we’re definitely seeing a reduction in the amount of infected systems out there.”

Fortra’s role

The Fortra Cyber Intelligence Team played a critical role in identifying the legitimate versus unauthorized systems as they were observed on the internet and served as the central hub for data collection from other public and private partners that was fed into the legal mechanisms to initiate the takedown processes.

A one-third reduction in compromised systems in six months is nothing to sneeze at but the problem has been growing for several years, possibly as far back as the tool’s introduction in 2012. Hundreds of instances have been discovered on servers worldwide every year since 2020 by organizations like Intel 471, Fox-IT, and even Walmart. The targets discovered are generally large enterprises, so the odds that small-to-medium enterprises (SMEs) have an infection are fairly low, according to several red teams contacted.

Cobalt Strike is a legitimate penetration testing tool produced by Fortra used by cybersecurity professionals and red teams to test the security of a network. It is popular in both legitimate and malicious circles because of its effectiveness. The likelihood of a cybercriminal targeting an SME may depend on the perceived value of the data or assets the SME possesses. If the SME handles sensitive customer information, financial data, or valuable intellectual property, it may be more attractive as a target.

Erdman would not identify the organizations that had been identified as hosting the malware, nor the specific countries other than the four mentioned earlier. “We didn’t name any individuals or any individual nations as part of this action because we are not 100% proof positive. We’ve generally had good cooperation around the world so I think we’ll see more of these.”

SMEs up the creek

Without knowing specifics, however, it becomes difficult for SMEs without robust security infrastructure to know if they have a problem. Erdman said smaller organizations should implement a significant penetration testing (pen-testing) effort to find infections, but a group of pen-testing companies we contacted were skeptical.

Ben Brown, co-founder of the UK-based Ronin-Pentest, agreed that criminals could plant a Cobalt Strike beacon in an SME network and just loiter waiting for the business to be acquired by a large company and then inject the malware for a big payday. But even a highly competent pentester would have a hard time finding it.

“It would be unlikely that you would find a cobalt strike beacon running in memory on a host because you’d have to compromise the host,” Brown said. “Then you’d have to be going through the memory of the host in a great degree of detail looking for default certificates. And then you would have to hope the person who deployed the attack had not changed the names of the beacons and the certificates from the defaults. That would suggest a relatively sloppy attacker. “If they knew their onions and they were a government-level adversary, then they’re not going to leave the names of the files that they upload default. A sophisticated attacker will change the names of those things, and then you’re looking for even more detailed signatures, which, yeah, most SMEs don’t spend the kind of money that would give me enough time to apply that kind of detail to a pentest.”

Forensics necessary

Brown said employing forensic tools and services, like those available from managed security service providers (MSSP), would be a better and more affordable option.

One company that offers those types of services is Cyjax, in the UK. The company’s CISO, Ian Thornton-Trump said traffic analysis is the first step in determining if you have a problem.

“If you are an SME in Canada and you have a lot of traffic with an IP address in Zimbabwe, it probably doesn’t make a lot of sense,” he explained. “That’s a problem.”

Thornton-Trump agreed with Brown that an MSSP can provide that service, but before that there are tools to identify problems before that step. “Greynoise will parse your traffic data and find where the IP addresses with bad reputations are.”

Greynoise costs between $27,000 and $157,000 annually but offers a freemium version that can help a small business discover a problem and determine if a greater investment needs to be made.

The risk of a cybercriminal attempting to infiltrate an SME using a cracked version of Cobalt Strike is influenced by a variety of factors. SMEs should prioritize cybersecurity measures to reduce their vulnerability to such threats and stay informed about the evolving cyber threat landscape. Using legitimate and properly licensed cybersecurity tools is essential to maintain a strong defense against cyberattacks.

Lou Covey

Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.