Google Cloud security experts disclosed the discovery in the wild of 34 cracked versions of the Cobalt Strike hacking toolkit, from version 1.44, released in November 2012, to this year’s version 4.7.
The hacking tool, developed by Fortra (also known as HelpSystems), is popular among red teams, which use it to assess the security of their defense systems and replicate attack scenarios.
“Cobalt Strike vendor Fortra (until recently known as Help Systems) uses a vetting process that attempts to minimize the potential that the software will be provided to actors who will use it for nefarious purposes, but Cobalt Strike has been leaked and cracked over the years,” according to Google Cloud security engineer Greg Sinclair. “These unauthorized versions of Cobalt Strike are just as powerful as their retail cousins except that they don’t have active licenses, so they can’t be upgraded easily.”
Cobalt Strike is a compilation of security tools bundled into a single JAR file. The toolkit hosts a Team Server component that can work as a command-and-control (C&C, C2) endpoint and a hub to coordinate attacks and control multiple compromised devices.
To combat the abuse of hacked Cobalt Strike iterations, Google released a collection of open-source YARA rules that can be used to “flag and identify Cobalt Strike’s components and its respective versions.”
The company said its goal is not to hamper legitimate Cobalt Strike users but rather contain the abuse by determining the legitimacy of its users. Old versions seem to be mainly targeted because, as Google explains, the latest versions are more likely to be those that “paying customers are using.”
“Our intention is to move the tool back to the domain of legitimate red teams and make it harder for bad guys to abuse,” Sinclair says in Google Cloud’s security advisory.
Specialized tools like Bitdefender Ultimate Security can keep you safe against cyberthreats, with features like:
- Continuous, all-around detection and protection against worms, viruses, Trojans, zero-day exploits, spyware, ransomware, rootkits, and other e-threats
- Network threat prevention module that scans the network for suspicious activities and blocks them before they harm you
- Behavioral detection component that closely monitors active apps and takes instant action upon discovering suspicious activity
- Multi-layer ransomware protection that keeps your files safe against all kinds of ransomware attacks