We did this using multiple methods, from information already available on the internet to downloading, running, and identifying the services ourselves. With that in mind, over here at Censys there has been a recent effort within our rapid-response organization to identify and fingerprint all of the interesting C2 services we could find. With attackers starting to weaponize security tools against those intended to protect, we have to be more vigilant in having multiple ways to think about catching the attackers. So, the transition away from Cobalt Strike to frameworks like Sliver is to be expected”. “Defenders are now having more and more successes in detecting and mitigating against Cobalt Strike. DarkReading recently reported that the newest open source tool from BishopFox, ‘Sliver’, is now emerging as a free alternative for attackers. While Cobalt Strike may be one of the most notorious penetration testing tools used for malicious activities, it may soon be joined by good company. What’s worse, is that use of Cobalt Strike by attackers continues to rise according to a report from last year: “use of Cobalt Strike increased 161 percent from 2019 to 2020 and remains a high-volume threat in 2021.” Cobalt Strike does what they can to restrict sales to legitimate users, but like any software, it’s subject to piracy and illegal distribution of licenses in secondary markets such as the Dark Web. This makes it nearly impossible to detect the attack with any one security tool due to the variety of ways it can manifest.The core principles of Cobalt Strike that make it a powerful tool to test your security controls are the same principles that make it so difficult to detect.įurther, it costs only $3,500 a year per user according to Cobalt Strike’s website, making the barrier for entry relatively low for attackers if they can get their hands on a legitimate license. Beacon is entirely customizable, offering infinite ways to configure. It leverages an agent called Beacon to conduct activities that evade traditional security controls by design. Cobalt Strike is a paid “oftware for Adversary Simulations and Red Team Operations” as defined on the official Cobalt Strike’s website at the time of publishing. A highly publicized example of this would be the Cobalt Strike Malware family. The same tools penetration testers use to help keep your organization safe and secure can be weaponized by attackers to take command and control. How did the Attackers get the jump on us? Learn more about this particular example in our blog post, Russian Ransomware C2 Network Discovered in Censys Data. Out of over 4.7 million hosts Censys observed in Russia, Censys discovered two Russian hosts containing an exploitation tool, Metasploit, and Command and Control (C2) tool, Deimos C2. Our latest example of attackers using our tools against us was observed in June 2022. Botnets are often remembered for distributing spam, but they can also be leveraged for more nefarious activities such as Denial of Service attacks and siphoning data. Attackers will use C2 infrastructure to issue commands to run malware, move laterally through the victims network, and exfiltrate data.Īttackers also use C2 infrastructure to command botnets. … and the bad.Īttackers – External parties with malicious intent have a variety of custom and open source tools for conducting command and control activity. Penetration testers often use C2 infrastructure to launch their testing activities. They assume the mindset of an attacker to attempt to penetrate the organization by finding the gaps. Penetration Testers – Often called Pen Testers, Red Teamers, Ethical Hackers, or White Hat Hackers are cyber security professionals who test the security controls of organizations. This can provide security professionals with tools to test their defenses, but they can also be leveraged for malicious actions. Like any software, they have uniquely identifiable default settings and configurations. These are pieces of software used to control the servers on which they appear over the internet. The term “C2” stands for Command and Control, also known as C&C. Now let’s take a step back and look at the weapons, who they are intended for, and how the attackers are using our own weapons against us. Thanks to the popularization of Threat Intelligence, most organizations are aware of needing to block external connections to C2 infrastructure, but what happens when you’re the one hosting it? Sure, you can wait for the FBI to notify you if you’re part of critical infrastructure, or you can read on to learn how Censys provides a chance to be proactive. Super embarrassing when you’re hosting C2 infrastructure as a respectable enterprise, right? Or when the Red Team beats the Blue Team?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |