Financially motivated cybercriminals are increasingly turning to Cobalt Stike, a legitimate tool that cybersecurity professionals use to test system security, researchers at Proofpoint found.
The cybersecurity firm declined to disclose specific numbers but reported a 161% increase in attacks using Cobalt Strike in 2020 compared to 2019. Proofpoint researchers have already seen tens of thousands of organizations targeted by the tool this year and expect those numbers to climb in 2021, according to the report the firm released Tuesday.
Threat groups are able to get ahold of the tool from pirated versions circulating the dark web, according to Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.
Cobalt Strike is a popular tool for security testing because of the variety of attacks it enables. Most notable among them is Cobalt Strike Beacon, a malware that allows hackers to mask their activity and communications with a system once it’s infiltrated. Russian hackers behind the SolarWinds campaign reportedly used a customized version of the malware as part of a multi-pronged approach. The tool has also gained popularity with ransomware gangs as a way to install a second payload after they’ve infiltrated a system.
Proofpoint’s data suggests that use by cybercriminals has overtaken that of state-linked groups often known as “advanced persistent threats,” showing just how mainstream it has gone. The uptick speaks to a long-standing tension in the cybersecurity community: Nearly any tool will be exploited by the bad guys eventually.
“Offensive security tools are not inherently evil, but it is worth examining how illegitimate use of the frameworks has proliferated among APT actors and cybercriminals alike,” DeGrippo wrote. “Financially motivated threat actors are now armed similarly to those financed and backed by various governments.”
Researchers at Proofpoint have also seen an increase in attacks using security testing tools such as Mythic, Meterpreter and the Veil Framework.
Cybercriminals also turning to trusted services like Dropbox, Google Drive, SendGrid and Constant Contact to host and distribute malware.