Researchers at Recorded Future report a rise in cracked Cobalt Strike and other open-source adversarial tools with easy-to-use interfaces.
Simple to use and deploy offensive security tools, making it easier than ever for criminals with little technical know-how to get in on cybercrime are seeing a significant rise, researchers say.
Recorded Future just released findings from its regular year-end observations of malicious infrastructure, identifying more than 10,000 unique command and control (C2) servers, across 80 malware families — nearly all linked to advanced persistent threat (APT) groups or “high-end financial actors.”
Recorded Future’s 2020 Adversary Infrastructure Report explained that researchers anticipate increased adoption of open-source tools because they’re easy to use and accessible to criminals without deep technical expertise.
“Over the next year, Recorded Future expects further adoption of open-source tools that have recently gained popularity, specifically Covenant, Octopus C2, Sliver and Mythic,” the report said. “Three of these tools have graphical user interfaces, making them easier to use for less experienced operators and all four have verbose documentation on their uses.”
Open Source and Cobalt Strike Dominate
Researchers go on to explain that since the Cobalt Strike source code leaked last November on GitHub, it has increased in use, and that cracked or trial versions were largely being used by notable APTs including APT41, Mustang Panda, Ocean Lotus and FIN7. Cobalt Strike was also was linked to the highest number of observed C2 servers last year, the report said.
Cobalt Strike is a penetration-testing tool, which is commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it simulates an attack. Threat actors have since figured out how to turn it against networks to exfiltrate data, deliver malware and create fake C2 profiles which look legit and avoid detection.
Cobalt Strike was used with 1,441 observed C2 servers in 2020, according to Recorded Future, followed by Metasploit with 1,122 and PupyRat with 454.
“The most commonly observed families were dominated by open-source or commercially available tooling,” the report said. “Detections of unaltered Cobalt Strike deployments (the pre-configured TLS certificate, Team Server administration port, or telltale HTTP headers) represented 13.5 percent of the total C2 servers identified. Metasploit and PupyRAT represented the other top open-source command-and-control servers identified by Recorded Future.”
Links to APTs
The report added that nearly every observed offensive security tool (OST), including Cobalt Strike and others, can be traced back to attacks from APT actors.
“Nearly all of the OSTs detected by Recorded Future have been linked to APT or high-end financial actors,” the report said. “The ease of access and use of these tools, mixed with the murkiness of potential attribution, makes them appealing for unauthorized intrusions and red teams alike.”
The APT threat landscape overall has gotten more complex over the past year, according to Kaspersky’s 2020 APT trends report thanks to widespread innovation across APT groups with varying tactics, techniques and procedures (TTPs).
Once researchers were able to identify the C2 servers, they traced those back to 576 different hosting providers. Amazon hosted the most with 471, or about 3.8 percent. Fellow U.S.-based host Digital Ocean came in second on the list with 421. The report explained that’s not necessarily a red flag.
“The deployment of Cobalt Strike and Metasploit controllers on these providers is not indicative of malpractice or negligent hosting but is more likely due to authorized red teams using these tools on cloud infrastructure,” the report said.
Recorded Future explained the point of this ongoing malicious infrastructure audit is to help security teams identify actors as they’re setting up, rather than waiting for them to get up and running and able to strike. The report found teams have what amounts to about a 61-day lead time from when a C2 server is created to when it’s detectable. The report adds the average time these servers host malicious infrastructure is 54.8 days.
But detection before malicious infrastructure can be used creates an opportunity to stop threat actors before they can cause damage, according to Recorded Future.
“Before a server can be used by a threat actor, it has to be acquired, either via compromise or legitimate purchase,” Recorded Future explained. “Then, the software must be installed, configurations must be tuned and files added to the server. The actors must access it via panel login, SSH or RDP protocols, and then expose the malware controller on a port to allow the data to transfer from the victim and to administer commands to infections. Only then can the server be used for malicious purposes.”
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.