Cybersecurity experts have found Cobalt Strike (DoS) exploit that allows Beacon blocking C2 (Command and Control) communication deployments and new channels. Cobalt Strike is a genuine penetration testing tool built to work as an attack framework by red teams. Red team is a group of cybersecurity analysts that work as threat actors to attack their own organization's to find security vulnerabilities and exploits. But, Cobalt Strike is also used by hackers, that generally use it for post-hacking tasks after planting the beacons, which allows them unlimited remote access to hacked devices. With the help of these beacons, the threat actors can later use the compromised servers to deploy second-stage malware payloads or harvest data.
The cybersecurity team at SentinelOne, SentinelLabs found about the DoS vulnerabilities, termed as CVE-2021-36798 and called "Hotcobalt" in the most recent versions of the Cobalt Strike server.
SentinelLabs reports "when a Beacon stager runs, it gathers information about the computer it is running on (CPU architecture, keyboard layout, internal IP, etc.), encrypts that info using the public key, and sends it to the server in an HTTP GET request. Receiving tasks generally happens over HTTP GET requests and the Beacon replies with the task data over HTTP POST requests. Tasks are encrypted using an AES key sent by the Beacon in the registration request."
The research revealed that one can plant fake beacons with a particular Cobalt Strike server installations by giving out fake tasks or screenshots with high file sizes to the server. The hacker could crash the server and exhaust available memory using the help of this process. The crashed server renders pre-installed beacons, not being able to communicate with the C2 servers, it restricts new beacons from getting installed on compromised systems.
Besides this, it also interferes with the red team and malicious attacks which used the planted beacons. "One of the most famous features of Cobalt Strike is its Malleable C2. In short, this feature lets the attacker encode (“transform” in Cobalt’s language) all the beacon’s HTTP communications. The entire process described above is wrapped in the chosen Malleable profile’s transformation steps, which are also embedded in the stager itself," said SentinelLabs in its blog.
