Cobalt Strike Vulnerability Affects Botnet Servers

Cobalt Strike is a security tool, used by penetration testers to simulate network attackers. But it’s also used by attackers — from criminals to governments — to automate their own attacks. Researchers have found a vulnerability in the product.

The main components of the security tool are the Cobalt Strike client — also known as a Beacon — and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific “malleability” customizations, such as how often the client is to report to the server or specific data to periodically send.

Then the attacker installs the client on a targeted machine after exploiting a vulnerability, tricking the user or gaining access by other means. From then on, the client will use those customizations to maintain persistent contact with the machine running the Team Server.

The link connecting the client to the server is called the web server thread, which handles communication between the two machines. Chief among the communications are “tasks” servers send to instruct clients to run a command, get a process list, or do other things. The client then responds with a “reply.”

Researchers at security firm SentinelOne recently found a critical bug in the Team Server that makes it easy to knock the server offline. The bug works by sending a server fake replies that “squeeze every bit of available memory from the C2’s web server thread….”

It’s a pretty serious vulnerability, and there’s already a patch available. But — and this is the interesting part — that patch is available to licensed users, which attackers often aren’t. It’ll be a while before that patch filters down to the pirated copies of the software, and that time window gives defenders an opportunity. They can simulate a Cobolt Strike client, and leverage this vulnerability to reply to servers with messages that cause the server to crash.

Posted on August 11, 2021 at 6:42 AM6 Comments

Comments

cc August 11, 2021 12:41 PM

Awesome! Is this an example of the server allowing remote code execution? Is there anything more technical about the reply that’s used to throttle the web server? Is it a loop, ping flood, or something else?

Clive Robinson August 11, 2021 2:41 PM

@ Bruce,

As ironic as,

… and that time window gives defenders an opportunity.

might be, the question of legality arises…

In most places “two crimes do not negate each other” and you are only alowed to protect yourself by use of force/action in the face of imminent danger to your self or others. Which in many places does not cover “hack back”.

SpaceLifeForm August 11, 2021 5:52 PM

Likely related. Windows is a cluster.

hxtps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/

Erdem Memisyazici August 13, 2021 12:43 AM

It’s fascinating how often you see viruses or hacking software also vulnerable due to undiscovered flaws. At one point in the 90s this trend picked up with cracking EXEs to not require CDs to handle backups, and persisted ever since. You’d think people who take the time to examine all the flaws in a design would take the time to examine their codebase with similar care. A paranoid person could think it’s on purpose at this point with the sheer volume of kill switches in the form of vulnerabilities or just shutdown commands in some instances. I suppose some sort of ML technique could be applied to IDEs to spot SQL Injections etc. as a baseline for even Eclipse type popular IDEs to stop this at the coder level.

Otherwise it all just seems like broken software to me.

Erdem Memisyazici August 18, 2021 2:25 AM

It’s fascinating how often you see viruses or hacking software also vulnerable due to undiscovered flaws. At one point in the 90s this trend picked up with cracking EXEs to not require CDs to handle backups, and persisted ever since. You’d think people who take the time to examine all the flaws in a design would take the time to examine their codebase with similar care. A paranoid person could think it’s on purpose at this point with the sheer volume of kill switches in the form of vulnerabilities or just shutdown commands in some instances. I suppose some sort of ML technique could be applied to IDEs to spot SQL Injections etc. as a baseline for even Eclipse type popular IDEs to stop this at the coder level.

Otherwise it all just seems like broken software to me.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.