In the latest research conducted by Proofpoint, it has come forth that adversaries are increasingly using Cobalt Strike, which is an authentic software tool used for system security testing.

A dynamic increase in cyberattacks in 2020:

To the unaware, Cobalt Strike is a penetration testing tool used by security testers, which gives access to a large variety of attack capabilities. Cobalt Strike can also be used to conduct spear-phishing and gain unauthorized access to systems and can emulate a variety of malware and other advanced threat tactics.

However, in recent developments, it has been found that Cobalt Strike is also being widely used by threat actors to launch real attacks against organizations. 

According to Proofpoint’s research, there was a whopping 161% increase in cyberattacks that are actively utilizing Cobalt Strike in 2020 than what was found in 2019. 

Also read,

The security organization also states that they have detected thousands of organizations that were targeted by the threat emulation tool. The number of organizations being target by the threat emulation tools is only expected to increase in 2021.

As for the usage of the legitimate tool, malicious adversaries are reportedly getting access to the tool from pirated versions that are available on the dark web.

Who is mal-utilizing Cobalt Strike?

One of the most widely used Cobalt Sticker tools is the Beacon, which is the tool’s payload to model advanced attackers and allows adversaries to hide their activities to communicate with a compromised system. 

The tool is also seen an increased usage by ransomware gangs as a way to install a second payload after they’ve infiltrated a system.

Threat actors behind the SolarWinds cyberattack reportedly used a customized version of the malware as part of a multi-pronged approach. 

Some of the other threat actors that have been known to be using Cobalt Strike are the FIN7 and the Conti ransomware groups, as well as Chinese and Russian state-sponsored attackers.

“Offensive security tools are not inherently evil, but it is worth examining how illegitimate use of the frameworks has proliferated among APT actors and cybercriminals alike,” provides Proofpoint. “Financially motivated threat actors are now armed similarly to those financed and backed by various governments.”

Along with Cobalt Strike, other security tools that are observing increasing use in cyberattacks include Mythic, Meterpreter, and the Veil Framework.