BlackBerry shines spotlight on evolving Cobalt Strike threat

Eric Milam, VP Research and Intelligence, BlackBerry

BlackBerry Limited during the BlackBerry Security Summit, announced a new book: Finding Beacons In the Dark: A Guide to Cyber Threat Intelligence, detailing the evolution and prevalence of a pervasive tool used by threat actors lately, Cobalt Strike Beacon.

The book details ways for readers to protect against malicious Cobalt Strike payloads and outlines how a robust Cyber Threat Intelligence (CTI) life cycle and extended detection and response (XDR) solution can provide the context needed to stop these threats.

Even though it was initially developed as an adversary simulation tool, Cobalt Strike has evolved into one of the most persistent attack methods heavily used by state-sponsored Advanced Persistent Threat (APT) groups and criminal mercenaries alike.

The book highlights the current threats facing organizations, provides a defense framework and uncovers links between cyberattacks previously thought to be disparate.

Why Cobalt Strike is a beacon of criminality

The tool has become a beacon of criminality. Cobalt Strike is widely used by red teams and has become heavily abused by cybercriminals due to its malleability and accessibility.

The software is feature-rich, allowing for the facilitation of many attack methods and remained a favorite of numerous state-sponsored parties due to its diverse nature.

The software has played a big role in the proliferation of ransomware in the past 18 months.

For businesses and cybercriminals alike, purchasing existing malware and related tools via underground forums can be significantly cheaper than developing in-house technology, making the use of Cobalt Strike ideal as it presents attribution challenges to law enforcement.

The challenge at hand can be further complicated when cyber mercenary groups are working in cohorts or at the behest of larger potentially nation-state–actors.

Blackberry executives give their verdict

Eric Milam, VP Research and Intelligence, BlackBerry had the following insights.

“Cobalt Strike presents an almost perfect software for cybercriminals while highlighting a central enigma of security, that well-built tools can both aid and increase cybercrime.”

“Cobalt Strike is feature-rich, well supported and actively maintained by its developers.”

“Its payload provides a wealth of features for attackers to indulge while also unpredictable. This makes it an attractive option for APT groups and cybercrime novices alike.”

While the increasing proliferation of Cobalt Strike within the criminal underground presents a reason for concern, so does its continued use by sophisticated APT groups.

As recently as October 2021, APT41 was witnessed using the software in phishing emails targeting Indian citizens, while Dridex operators have used Cobalt Strike heavily to underpin their recent phishing and malspam campaigns.

“The aim of this book is to aid the security community by sharing knowledge, presenting the steps taken to create an automated system to hunt for Cobalt Strike, and most importantly, demonstrating how to derive meaningful threat intelligence from the resulting dataset.”

Billy Ho, Executive Vice President of Product Engineering, BlackBerry said that this information can then be used to provide insights, trends and intelligence on threat groups and campaigns.