Alleged source code belonging to commercial penetration testing software Cobalt Strike has been published on GitHub, potentially providing a new path for hackers to attack companies.
Penetration testing, usually abbreviated as pen testing, has legitimate uses as a security tool to test security but can also be used by bad actors to attack a company. Ethical pen testing involves simulated attacks on a computer system to evaluate the security of the given system. In the hands of hackers, the same pen testing software can be used to identify security issues that can be exploited.
Cobalt Strike, which pitches itself as being a legitimate pen testing solution has been controversial for years due to its use by hacking groups, be it they had to pay $3,500 per year for a license to use the software or use a pirated copy. Malpedia has a page dedicated to Cobalt Strike, noting that it allows an attacker to deploy an agent named “Beacon” on the victim’s machine. “Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement,” Malpedia notes.
The alleged code could potentially allow more hackers to use the software for nefarious purposes and/or develop new versions of the product.
Whether the code is actually Cobalt Strike’s code or not is subject to dispute. Bleeping Computer reports that the code appears to be the Java code from the software that has been manually decompiled then edited to fix any dependencies and remove the license check so it could be compiled. “Even though it is not the original source code, it is enough to be of serious concern to security professionals,” the report notes.
The code said to have appeared on GitHub 12 days ago and has already been forked 172 times. The timing may be relevant as a major attack involving Cobalt Strike that is targeting Microsoft Teams was reported Nov. 10. Another attack that took advantage of unpatched Oracle WebLogic servers involving Cobalt Strike was reported Nov. 5.
“While the allegations that the Cobalt Strike source code was posted to GitHub are unconfirmed, it certainly appears to at least be derivative of Cobalt Strike’s product,” Chester Wisniewski, principal research scientist at cybersecurity company Sophos Group plc told SiliconANGLE. “This is unlikely to have any short-term consequence regarding criminal usage of Cobalt Strike as they are simply using stolen copies to begin with.”
“Where the risk lies is in the ability to update such a powerful tool with newly discovered vulnerabilities accelerating their adoption in the criminal community,” Wisniewski added. “Only time will tell if this has an impact, but I suspect it will be business as usual for criminals for now. This is, however, even more reason for organizations to ensure they are patching their systems as quickly as possible.”
Image: Cobalt Strike
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.