Cybersecurity researchers have discovered multiple denial of service (DoS) vulnerabilities in popular penetration testing tool Cobalt Strike that can be exploited by malicious users,
Despite Cobalt Strike’s noble intentions, it is popularly used by threat actors usually to deploy payloads known as beacons to gain persistent remote access to compromised systems.
During the recent BlackHat security conference, researchers from SentinelOne revealed a series of DoS vulnerabilities that could have blocked the beacon from communicating with its command and control (C2) server.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
In essence, the vulnerabilities could be used by security researchers to perpetrate a DOS attack on the threat actors’ infrastructure.
Shutting down a good thing
The vulnerabilities collectively tracked as CVE-2021-36798, and dubbed Hotcobalt, kick in when a fake beacon sends fake task replies to the C2 server.
The fake tasks, which SentinelOne demonstrated in the form of abnormally large screenshots, drain all memory from the C2 server and cause it to crash, disrupting the ongoing operation.
Moreover the vulnerabilities are so severe that even restarting the server doesn’t help, since the fake beacons can continue to send memory draining tasks, crashing the server repeatedly.
When used by the people on the right side of the law, the vulnerabilities would have dealt a crippling blow to any malicious campaign that used Cobalt Strike.
“Although used every day for malicious attacks, Cobalt Strike is ultimately a legitimate product, so we have disclosed these issues responsibly to HelpSystems and they have fixed the vulnerabilities in the last release,” reasons SentinelLabs.