The source code of Cobalt Strike, a legitimate penetration testing toolkit used by red teams, has allegedly been leaked online. Read on to know about it…
The source code of Cobalt Strike, a legitimate penetration testing toolkit used by red teams, has allegedly been leaked online. The tool is quite popular in the cybercrime world as well. Experts fear this code can be reused, updated, or enhanced by the cybercrime groups exploiting it.
About Cobalt Strike Toolkit
Cobalt Strike is a legitimate pen testing toolkit that has been a subject of controversy for years mainly because of it use by malicious actors who utilize pirated copies of the solution to gain persistent remote access to compromised networks. Cobalt Strike is widely adopted by threat actors that use cracked versions to gain persistent remote access to a target network.
The most recent examples include a campaign detected by Microsoft involving Cobalt Strike and targeting Microsoft Teams, and attacks targeting unpatched Oracle WebLogic servers aiming to deploy Cobalt Strike.
The Leaked Source Code
As per Bleeping Computer, nearly two weeks ago a repository appeared on GitHub, which contains what looks like source code for Cobalt Strike 4.0. The analysis of the leaked source code revealed that it is related to Cobalt Strike 4.0 released on December 5, 2019.
The leaked code appears to be the Java code from the software that has been manually decompiled and then edited to fix any dependencies and remove the license check so it could be compiled. Since the emergence on GitHub, the repository has been forked 172 times. “Even though it is not the original source code, it is enough to be of serious concern to security professionals,” Bleeping Computer notes.
In the alleged leaked source code, a license check for Cobalt Strike has been removed for compilers who want to crack the program. The person behind this leak has manually decompiled the Java code and then fixed any dependencies. So far, the repository has been forked 172 times, making it harder to stop the spread of the source code.
Recent Use of Toolkit
Cobalt Strike is frequently being used by cybercriminals for post-exploitation, covert communication, and browser pivoting, among other malicious purposes. This tool has become the preferred choice among ransomware operators. Recently, ransomware operators used malicious fake ads for Microsoft Teams updates, along with backdoors that used Cobalt Strike. Furthermore, cybercriminals were seen exploiting vulnerable Oracle WebLogic servers to deploy Cobalt Strike beacons.
A Brief Conclusion
The alleged source code leak of such an offensive tool opens doors to new challenges for security agencies and analysts. Therefore, experts suggest several precautionary activities, such as looking up for the open port on 50050/TCP or checking the default TLS certificate from the vendor. In addition, limiting admin privileges to essential users can help.