#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Cobalt Strike | Breaking Cybersecurity News | The Hacker News

New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics

New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics

Feb 20, 2024 Malware / Supply Chain Security
Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called  DLL side-loading  to circumvent detection by security software and run malicious code. The packages, named  NP6HelperHttptest  and  NP6HelperHttper , were each downloaded  537  and  166 times , respectively, before they were taken down. "The latest discovery is an example of DLL sideloading executed by an open-source package that suggests the scope of software supply chain threats is expanding," ReversingLabs researcher Petar Kirhmajer  said  in a report shared with The Hacker News. The name NP6 is notable as it refers to a legitimate marketing automation solution made by ChapsVision. In particular, the fake packages are typosquats of NP6HelperHttp and NP6HelperConfig, which are helper tools published by one of ChapsVision's employees to PyPI. In other words, the goal is to trick developers searching for NP6Hel
PikaBot Resurfaces with Streamlined Code and Deceptive Tactics

PikaBot Resurfaces with Streamlined Code and Deceptive Tactics

Feb 13, 2024 Cyber Threat / Malware
The threat actors behind the PikaBot malware have made significant changes to the malware in what has been described as a case of "devolution." "Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications," Zscaler ThreatLabz researcher Nikolaos Pantazopoulos  said . PikaBot,  first documented  by the cybersecurity firm in May 2023, is a malware loader and a backdoor that can execute commands and inject payloads from a command-and-control (C2) server as well as allow the attacker to control the infected host. It is also known to halt its execution should the system's language be Russian or Ukrainian, indicating that the operators are either based in Russia or Ukraine. In recent months, both PikaBot and another loader called DarkGate have emerged as  attractive replacements  for threat actors such as  Water C
How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities

How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities

Feb 15, 2024SaaS Security / Risk Management
With many of the highly publicized 2023 cyber attacks revolving around one or more SaaS applications, SaaS has become a cause for genuine concern in many boardroom discussions. More so than ever, considering that GenAI applications are, in fact, SaaS applications. Wing Security (Wing), a SaaS security company, conducted an analysis of 493 SaaS-using companies in Q4 of 2023.  Their study reveals  how companies use SaaS today, and the wide variety of threats that result from that usage. This unique analysis provides rare and important insights into the breadth and depth of SaaS-related risks, but also provides practical tips to mitigate them and ensure SaaS can be widely used without compromising security posture.  The TL;DR Version Of SaaS Security 2023 brought some now infamous examples of malicious players leveraging or directly targeting SaaS, including the North Korean group UNC4899, 0ktapus ransomware group, and Russian Midnight Blizzard APT, which targeted well-known organizat
SystemBC Malware's C2 Server Analysis Exposes Payload Delivery Tricks

SystemBC Malware's C2 Server Analysis Exposes Payload Delivery Tricks

Jan 25, 2024 Remote Access Trojan
Cybersecurity researchers have shed light on the command-and-control (C2) server workings of a known malware family called  SystemBC . "SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP," Kroll  said  in an analysis published last week. The risk and financial advisory solutions provider said it has witnessed an increase in the use of malware throughout Q2 and Q3 2023. SystemBC,  first observed  in the wild in 2018, allows threat actors to remote control a compromised host and deliver additional payloads, including trojans, Cobalt Strike, and ransomware. It also features support for launching ancillary modules on the fly to expand on its core functionality. A standout aspect of the malware revolves around its use of SOCKS5 proxies to mask network traffic to and from C2 infrastructure, acting as a persistent access mechanism for post-
cyber security

Are You Vulnerable to Third-Party Breaches Through Interconnected SaaS Apps?

websiteWing SecuritySaaS Security / Risk Management
Protect against cascading risks by identifying and mitigating app2app and third-party SaaS vulnerabilities.
Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware

Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware

Jan 09, 2024 Malware / Cyber Threat
A threat actor called Water Curupira has been observed actively distributing the  PikaBot  loader malware as part of spam campaigns in 2023. "PikaBot's operators ran phishing campaigns, targeting victims via its two components — a loader and a core module — which enabled unauthorized remote access and allowed the execution of arbitrary commands through an established connection with their command-and-control (C&C) server," Trend Micro  said  in a report published today. The activity began in the first quarter of 2023 that lasted till the end of June, before ramping up again in September. It also overlaps with  prior campaigns  that have used similar tactics to deliver QakBot, specifically those  orchestrated  by  cybercrime groups  known as TA571 and TA577. It's believed that the increase in the number of phishing campaigns related to PikaBot is the result of QakBot's takedown in August, with DarkGate emerging as another replacement. PikaBot is primarily a loader, which means
New Malvertising Campaign Distributing PikaBot Disguised as Popular Software

New Malvertising Campaign Distributing PikaBot Disguised as Popular Software

Dec 19, 2023 Malvertising / Browser Security
The malware loader known as PikaBot is being distributed as part of a  malvertising   campaign  targeting users searching for legitimate software like AnyDesk. "PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577," Malwarebytes' Jérôme Segura  said . The malware family, which  first   appeared  in early 2023, consists of a loader and a core module that allows it to operate as a backdoor as well as a distributor for other payloads. This  enables  the threat actors to gain unauthorized remote access to compromised systems and transmit commands from a command-and-control (C2) server, ranging from arbitrary shellcode, DLLs, or executable files, to other malicious tools such as Cobalt Strike. One of the threat actors leveraging PikaBot in its attacks is  TA577 , a prolific cybercrime threat actor that has, in the past, delivered QakBot, IcedID, SystemBC, SmokeLoad
New Hacker Group 'GambleForce' Tageting APAC Firms Using SQL Injection Attacks

New Hacker Group 'GambleForce' Tageting APAC Firms Using SQL Injection Attacks

Dec 14, 2023 Vulnerability / Data Breach
A previously unknown hacker outfit called  GambleForce  has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023. "GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials," Singapore-headquartered Group-IB  said  in a report shared with The Hacker News. The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful. The modus operandi of GambleForce is its exclusive reliance on open-source tools like dirsearch , sqlmap , tinyproxy , and redis-rogue-getshell at different stages of the attacks with the ultimate goal of exfiltrating sensitive
Chinese Hackers Target Semiconductor Firms in East Asia with Cobalt Strike

Chinese Hackers Target Semiconductor Firms in East Asia with Cobalt Strike

Oct 06, 2023 Cyber Attack / Malware
Threat actors have been observed targeting semiconductor companies in East Asia with lures masquerading as Taiwan Semiconductor Manufacturing Company (TSMC) that are designed to deliver Cobalt Strike beacons. The intrusion set, per  EclecticIQ , leverages a backdoor called HyperBro, which is then used as a conduit to deploy the commercial attack simulation software and post-exploitation toolkit. An alternate attack sequence is said to have utilized a previously undocumented malware downloader to deploy Cobalt Strike, indicating that the threat actors devised multiple approaches to infiltrate targets of interest. The Dutch cybersecurity firm attributed the campaign to a China-linked threat actor owing to the use of HyperBro, which has been almost exclusively put to use by a threat actor known as  Lucky Mouse  (aka APT27, Budworm, and Emissary Panda). Tactical overlaps have also been unearthed between the adversary behind the attacks and another cluster tracked by RecordedFuture un
Threat Actors Targeting Microsoft SQL Servers to Deploy FreeWorld Ransomware

Threat Actors Targeting Microsoft SQL Servers to Deploy FreeWorld Ransomware

Sep 01, 2023 Database Security / Ransomware
Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld. Cybersecurity firm Securonix, which has dubbed the campaign DB#JAMMER , said it stands out for the way the toolset and infrastructure is employed. "Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical breakdown of the activity. "The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld." Initial access to the victim host is achieved by brute-forcing the MS SQL server, using it to enumerate the database and leveraging the xp_cmdshell configuration option to run shell commands and conduct reconnaissance. The next stage entails taking steps to impair system firewall and establish persistence by connecting to a remote SMB share
China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

Aug 17, 2023 Cyber Attack / Malware
An ongoing cyber attack campaign originating from China is targeting the Southeast Asian gambling sector to deploy Cobalt Strike beacons on compromised systems.  Cybersecurity firm SentinelOne said the tactics, techniques, and procedures point to the involvement of a threat actor tracked as  Bronze Starlight  (aka Emperor Dragonfly or Storm-0401), which has been linked to the use of  short-lived   ransomware families  as a smokescreen to conceal its espionage motives. "The threat actors abuse Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons," security researchers Aleksandar Milenkoski and Tom Hegel  said  in an analysis published today. It also bears noting that the campaign exhibits overlaps with an intrusion set monitored by ESET under the name  Operation ChattyGoblin . This activity, in turn, shares commonalities with a  supply chain attack  that came to light last year leveraging a troja
Hackers Using Golang Variant of Cobalt Strike to Target Apple macOS Systems

Hackers Using Golang Variant of Cobalt Strike to Target Apple macOS Systems

May 16, 2023 Endpoint Security / Cyber Threat
A Golang implementation of Cobalt Strike called Geacon is likely to garner the attention of threat actors looking to target Apple macOS systems. That's according to findings from SentinelOne, which observed an increase in the number of Geacon payloads appearing on VirusTotal in recent months. "While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks," security researchers Phil Stokes and Dinesh Devadoss  said  in a report. Cobalt Strike  is a well-known red teaming and adversary simulation tool developed by Fortra. Owing to its myriad capabilities, illegally cracked versions of the software have been abused by threat actors over the years. While post-exploitation activity associated with Cobalt Strike has primarily singled out Windows, such attacks against macOS are something of a rarity. In May 2022, software supply chain firm Sonatype  disclosed  details of a rogue Python package called " pymafka "
New Ransomware Strain 'CACTUS' Exploits VPN Flaws to Infiltrate Networks

New Ransomware Strain 'CACTUS' Exploits VPN Flaws to Infiltrate Networks

May 09, 2023 Endpoint Security / Ransomware
Cybersecurity researchers have shed light on a new ransomware strain called CACTUS that has been found to leverage known flaws in VPN appliances to obtain initial access to targeted networks. "Once inside the network, CACTUS actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks," Kroll said in a report shared with The Hacker News. The ransomware has been observed targeting large commercial entities since March 2023, with attacks employing double extortion tactics to steal sensitive data prior to encryption. No data leak site has been identified to date. Following a successful exploitation of vulnerable VPN devices, an SSH backdoor is set up to maintain persistent access and a series of PowerShell commands are executed to conduct network scanning and identify a list of machines fo
Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks

Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks

Apr 20, 2023 Ransomware / Cyber Attack
Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool that has come under  active   exploitation  by ransomware actors to steal sensitive data. The high-severity flaw, tracked as  CVE-2023-0669  (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The issue was patched by the company in version 7.1.2 of the software in February 2023, but not before it was weaponized as a zero-day since January 18. Fortra, which worked with Palo Alto Networks Unit 42, said it was made aware of suspicious activity associated with some of the file transfer instances on January 30, 2023. "The unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments," the company  said . "For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their h
Microsoft Takes Legal Action to Disrupt Cybercriminals' Illegal Use of Cobalt Strike Tool

Microsoft Takes Legal Action to Disrupt Cybercriminals' Illegal Use of Cobalt Strike Tool

Apr 07, 2023
Microsoft said it teamed up with Fortra and Health Information Sharing and Analysis Center (Health-ISAC) to tackle the abuse of Cobalt Strike by cybercriminals to distribute malware, including ransomware. To that end, the tech giant's Digital Crimes Unit (DCU) revealed that it secured a  court order  in the U.S. to "remove illegal, legacy copies of Cobalt Strike so they can no longer be used by cybercriminals." While Cobalt Strike, developed and maintained by Fortra (formerly HelpSystems), is a legitimate post-exploitation tool used for adversary simulation, illegal cracked versions of the software have been weaponized by threat actors over the years. Ransomware groups, in particular, have leveraged Cobalt Strike after obtaining initial access to a target environment to escalate privileges, lateral move across the network, and deploy file-encrypting malware. "The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been link
Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection

Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection

Mar 16, 2023 Cyber Threat Intelligence
Threat activity clusters affiliated with the Chinese and Russian cybercriminal ecosystems have been observed using a new piece of malware that's designed to load Cobalt Strike onto infected machines. Dubbed  SILKLOADER  by Finnish cybersecurity company WithSecure, the malware leverages  DLL side-loading techniques  to deliver the commercial adversary simulation software. The development comes as  improved detection capabilities  against Cobalt Strike, a legitimate post-exploitation tool used for red team operations, is forcing threat actors to  seek alternative options  or concoct new ways to propagate the framework to evade detection. "The most common of these include adding complexity to the auto-generated beacon or stager payloads via the utilization of packers, crypters, loaders, or similar techniques," WithSecure researchers  said . SILKLOADER joins other loaders such as KoboldLoader, MagnetLoader, and LithiumLoader that have been  recently discovered  incorpora
Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks

Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks

Feb 22, 2023 Exploitation Framework / Cyber Threat
An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like  Cobalt Strike ,  Sliver , and  Brute Ratel . Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized  Havoc . "While C2 frameworks are prolific, the open-source Havoc framework is an advanced post-exploitation command-and-control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation," researchers Niraj Shivtarkar and Shatak Jain  said . The attack sequence documented by Zscaler begins with a ZIP archive that embeds a decoy document and a screen-saver file that's designed to download and launch the Havoc Demon agent on the infected host. Demon is the implant generated via th
Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms

Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms

Feb 09, 2023 Threat Intelligence / Malware
The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason. The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver  Cobalt Strike  and  SystemBC  for post-exploitation. "The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than four hours," Cybereason  said  in an analysis published February 8, 2023. Gootkit, also called Gootloader, is exclusively attributed to a threat actor tracked by Mandiant as UNC2565. Starting its life in 2014 as a banking trojan, the malware has since morphed into a loader capable of delivering next-stage payloads. The shift in tactics was  first uncovered  by Sophos in March 2021. Gootloader takes the form of heavily-obfuscated JavaScript files th
Gootkit Malware Continues to Evolve with New Components and Obfuscations

Gootkit Malware Continues to Evolve with New Components and Obfuscations

Jan 29, 2023 Cyber Threat / Malware
The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is  monitoring  the activity cluster under the moniker  UNC2565 , noting that the usage of the malware is "exclusive to this group." Gootkit , also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning. The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as  Cobalt Strike Beacon , FONELAUNCH, and SNOWCONE. FONELAUNCH is a .NET-based loader designed to load an encoded payload into memory, whereas SNOWCONE is a downloader that's tasked with retrieving next-stage payloads, typically  IcedID ,
Cybersecurity Resources