Cobalt Strike | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have disclosed details of an evasive malware campaign that makes use of valid code signing certificates to sneak past security defenses and stay under the radar with the goal of deploying Cobalt Strike and BitRAT payloads on compromised systems. The binary, a loader, has been dubbed "Blister" by researchers from Elastic Security, with the malware samples having  negligible  to  zero  detections on VirusTotal. As of writing, the infection vector used to stage the attack, as well as the ultimate objectives of the intrusion, remains unknown. A notable aspect of the attacks is that they leverage a valid code signing certificate issued by  Sectigo . The malware has been observed signed with the certificate in question dating back to September 15, 2021. Elastic said it reached out to the company to ensure that the abused certificates are revoked. "Executables with valid code signing certificates are often scrutinized to a lesser degree than unsig

Nobelium, the threat actor attributed to the massive SolarWinds supply chain compromise, has been once again linked to a series of attacks targeting multiple cloud solution providers, services, and reseller companies, as the hacking group continues to refine and retool its tactics at an alarming pace in response to public disclosures. The intrusions, which are being tracked by Mandiant under two different activity clusters UNC3004 and UNC2652, are both associated with UNC2452, an  uncategorized threat group  that has since been tied to the Russian intelligence service. UNC2652, in particular, has been observed targeting diplomatic entities with phishing emails containing HTML attachments with malicious JavaScript, ultimately dropping a Cobalt Strike Beacon onto the infected devices. "In most instances, post compromise activity included theft of data relevant to Russian interests," Mandiant researchers Luke Jenkins, Sarah Hawley, Parnian Najafi, and Doug Bienstock  said  in

Super Low RPO with Continuous Data Protection: Dial Back to Just Seconds Before an Attack Zerto , a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use snapshots, agents, or any other periodic data protection methodology. Zerto has no impact on production workloads and can achieve RPOs in the region of 5-15 seconds across thousands of virtual machines simultaneously. For example, the environment in the image below has nearly 1,000 VMs being protected with an average RPO of just six seconds! Application-Centric Protection: Group Your VMs to Gain Application-Level Control   You can protect your VMs with the Zerto application-centric approach using Virtual Protection Groups (VPGs). This logical grouping of VMs ensures that your whole applica

A previously undocumented initial access broker has been unmasked as providing entry points to three different threat actors for mounting intrusions that range from financially motivated ransomware attacks to phishing campaigns. BlackBerry's research and intelligence team dubbed the entity " Zebra2104 ," with the group responsible for offering a means of a digital approach to ransomware syndicates such as MountLocker and Phobos, as well as the advanced persistent threat (APT) tracked under the moniker  StrongPity  (aka Promethium). The threat landscape as we know it has been increasingly dominated by a category of players known as the initial access brokers ( IABs ), who are known to provide other cyber-criminal groups, including ransomware affiliates, with a  foothold to an infinite pool of potential organizations  belonging to diverse geographies and sectors via persistent backdoors into the victim networks, effectively building a pricing model for remote access. &

A new spam email campaign has emerged as a conduit for a previously undocumented malware loader that enables the attackers to gain an initial foothold into enterprise networks and drop malicious payloads on compromised systems. "These infections are also used to facilitate the delivery of additional malware such as Qakbot and Cobalt Strike, two of the most common threats regularly observed targeting organizations around the world,"  said  researchers with Cisco Talos in a technical write-up. The malspam campaign is believed to have commenced in mid-September 2021 via laced Microsoft Office documents that, when opened, triggers an infection chain that leads to the machines getting infected with a malware dubbed SQUIRRELWAFFLE . Mirroring a technique that's consistent with other phishing attacks of this kind, the latest operation leverages stolen email threads to give it a veil of legitimacy and trick unsuspecting users into opening the attachments. What's more, t

An "aggressive" financially motivated threat actor has been identified as linked to a string of RYUK ransomware attacks since October 2018, while maintaining close partnerships with TrickBot-affiliated threat actors and using a publicly available arsenal of tools such as Cobalt Strike Beacon payloads to interact with victim networks. Cybersecurity firm Mandiant attributed the intrusions to a Russian-speaking hacker group rechristened as FIN12, and previously tracked under the name  UNC1878 , with a disproportionate focus on healthcare organizations with more than $300 million in revenue, among others, including education, financial, manufacturing, and technology sectors, located in North America, Europe, and the Asia Pacific. The designation marks the first time a ransomware affiliate group has been promoted to the status of a distinct threat actor. "FIN12 relies on partners to obtain initial access to victim environments," Mandiant researchers  said . "Not

Microsoft on Wednesday disclosed details of a targeted phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems. "These attacks used the vulnerability, tracked as  CVE-2021-40444 , as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders," Microsoft Threat Intelligence Center  said  in a technical write-up. "These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware." Details about CVE-2021-40444 (CVSS score: 8.8) first  emerged  on September 7 after researchers from EXPMON alerted the Windows maker about a "highly sophisticated zero-day attack" aimed at Microsoft Office users by taking advantage of a remote code execution vulnerability in MSHTML (aka Trident), a proprietary browser engine for the now

Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of  Cobalt Strike Beacon  that's actively set its sights on government, telecommunications, information technology, and financial institutions in the wild. The as-yet undetected version of the penetration testing tool — codenamed "Vermilion Strike" — marks one of the  rare Linux ports , which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks. Cobalt Strike bills itself as a " threat emulation software ," with Beacon being the payload engineered to model an advanced actor and duplicate their post-exploitation actions. "The stealthy sample uses Cobalt Strike's command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands and writing to files," Intezer researchers said in a report publishe

Organizations' cybersecurity capabilities have improved over the past decade, mostly out of necessity. As their defenses get better, so do the methods, tactics, and techniques malicious actors devise to penetrate their environments. Instead of the standard virus or trojan, attackers today will deploy a variety of tools and methods to infiltrate an organization's environment and attack it from the inside. In an interesting twist of fate, one of the tools organizations have used to audit and improve their defenses has also become a popular tool attackers use to infiltrate. Cobalt Strike is an Adversary Simulation and Red Team Operations tool that allows organizations to simulate advanced attacks and test their security stacks in a close-to-real-world simulation. A new research webinar from XDR provider Cynet ( register here ) offers a better look at Cobalt Strike. The webinar, led by Cyber Operations Analyst for the Cynet MDR Team Yuval Fischer, will take a deep dive into the thr

Security researchers have tracked down activities of a new group of financially-motivated hackers that are targeting several businesses and organizations in Germany, Italy, and the United States in an attempt to infect them with backdoor, banking Trojan, or ransomware malware. Though the new malware campaigns are not customized for each organization, the threat actors appear to be more interested in businesses, IT services, manufacturing, and healthcare industries who possess critical data and can likely afford high ransom payouts. According to a report ProofPoint shared with The Hacker News, the newly discovered threat actors are sending out low-volume emails impersonating finance-related government entities with tax assessment and refund lured emails to targeted organizations. "Tax-themed Email Campaigns Target 2019 Filers, finance-related lures have been used seasonally with upticks in tax-related malware and phishing campaigns leading up to the annual tax filing deadlines in

Three members of one of the world's largest cybercrime organizations that stole over a billion euros from banks across the world over the last five years have been indicted and charged with 26 felony counts, the Justice Department announced on Wednesday. The three suspects are believed to be members of the organized Russian cybercrime group known as FIN7 , the hackers group behind Carbanak and Cobalt malware and were arrested last year in Europe between January and June. The suspects—Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30—are all from Ukraine and accused of targeting 120 companies based in the United States, as well as U.S. individuals. The victims include Chipotle Mexican Grill, Jason's Deli, Red Robin Gourmet Burgers, Sonic Drive-in, Taco John's, Chili's, Arby's, and Emerald Queen Hotel and Casino in Washington state. Carbanak (FIN7) Group Charged for Stealing 15 Million Credit Cards According to the press release published

Spanish Police has arrested the alleged leader of an organised Russian cybercrime gang behind the Carbanak and Cobalt malware attacks, which stole over a billion euros from banks worldwide since 2013. In a coordinated operation with law enforcement agencies across the globe, including the FBI and Europol, Police detained the suspected leader of Carbanak hacking group in Alicante, Spain. Carbanak hacking group started its activities almost five years ago by launching a series of malware attack campaigns such as Anunak and Carbanak to compromise banks and ATM networks, from which they swiped millions of credit card details from US-based retailers. According to the Europol, the group later developed a sophisticated heist-ready banking malware known as Cobalt, based on the Cobalt Strike penetration testing software, which was in use until 2016. "The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist,

A recently disclosed severe 17-year-old vulnerability in Microsoft Office that lets hackers install malware on targeted computers without user interaction is now being exploited in the wild to distribute a backdoor malware. First spotted by researchers at security firm Fortinet , the malware has been dubbed Cobalt because it uses a component from a powerful and legitimate penetration testing tool, called Cobalt Strike . Cobalt Strike is a form of software developed for Red Team Operations and Adversary Simulations for accessing covert channels of a system. The vulnerability (CVE-2017-11882) that Cobalt malware utilizes to deliver the backdoor is a memory-corruption issue that allows unauthenticated, remote attackers to execute malicious code on the targeted system when opened a malicious file and potentially take full control over it. This vulnerability impacts all versions of Microsoft Office and Windows operating system, though Microsoft has already released a patch upda

What if you could easily host malicious websites, send phishing emails, and manage compromised hosts across diverse internet addresses? This week's Cobalt Strike adds the ability to manage multiple attack servers at once. Here's how it works: When you connect to two or more servers, Cobalt Strike will show a switch bar with buttons for each server at the bottom of your window. Click a button to make that server active. It's a lot like using tabs to switch between pages in a web browser. To make use of multiple servers, designate a role for each one. Assign names to each server's button to easily remember its role. Dumbly connecting to multiple servers isn't very exciting. The fun comes when you seamlessly use Cobalt Strike features between servers. For example: Designate one server for phishing and another for reconnaissance. Go to the reconnaissance server, setup the system profiler website. Use the phishing tool to deliver the reconnaissance website through