Posted on March 1, 2019 at 12:36 PM
A cyber security company Fox-IT recently discovered a bug in Cobalt Strike. Cobalt Strike is software for breach risk testing. Along with web security experts, hackers have also started using Cobalt Strike for its advantages. A weakness in this software enabled the researches to identify the location of a few thousand of C&C malware servers.
What is the Cobalt Strike?
Cobalt Strike is a software tool for web threat emulation – Red Operations and Adversary simulations. For more ten years, web security professionals used Cobalt Strike for testing risks of penetration. In the last five years, groups of hackers started using it as well. Cobalt Strike is popular because it has a few important advantages, for example, an easy-to-use and effective client-server architecture.
Known hackers’ groups that use Cobalt Strike are FIN6 and FIN7 (Carbanak) and some state hacker organizations, for example, APT29 (also known as the Cozy Bear). With Cobalt Strike, hackers are able to host malicious command-and-control servers (C&C). They set up Cobalt Strike beacons on infected hosts and use them to spread malware on private networks.
A group of web security professionals behind the Fox-IT company detected a weakness in the server component of Cobalt Strike. In the core of the Cobalt Strike is a Java server NanoHTTPD. This element had a flaw in its work that web security researchers utilized to track down malicious hackers’ servers.
Fox-IT reported that NanoHTTPD was unintentionally putting additional whitespace in the HTTP responses of the server. Exploiting this whitespace, Fox-IT managed to identify communications between Cobalt Strike’s beacons and their C&C servers. Fox-IT followed hackers this was from January 2015 to February 2019. In February this year, Cobalt Strike developer team created a patch which corrected the weakness in the latest version of the software (3.13).
In the period of four years, Fox-IT registered 7718 cases of original Cobalt Strike team servers/NanoHTTPD hosts. The company has also published a list of IP addresses that are related to host these servers so that other security teams could use them. This way, others can search for their network logs on malicious servers and detect security breaches. Although some of these servers could actually be legit Cobalt Strike servers that web security professionals host for testing, many of them are hackers’ actions.
Some of the servers from the list Fox-IT manage to identify had very malicious owners and purposes. For example, a government hacking organization from China APT10 owned some of the C&C malware servers. A group of hackers from Cobalt Group, FIN7, also known as Carbanak, owned malicious servers as well. There was also a bankbot trojan named BokBot.
A web security company from China, KnownSec 404 Team, detected many servers on Fox-IT’s list in their own research. This company uses ZoomEye IoT search engine. They found 3643 Cobalt Strike’s NanoHTTPD servers that are still active. 86% of the servers they managed to identify are also on the Fox-IT’s list.
Cobalt Strike developer team started patching the weakness on their servers, so the number of servers Fox-IT could identify in their research will be in the decrease. As developers will only provide the patch for legal users, most of the identified servers in the future will probably be malicious. Hackers mostly use illegal versions (pirated, hacked or unregistered) for their Cobalt Strike malicious actions. That means that many of them won’t receive a patch and therefore, remain detectable by web security companies.