Essential cobalt strike bug leaves botnet servers weak to deactivation


Enlarge / You did something bad.

Governments, vigilante groups and criminal hackers have a new way to disrupt botnets running the widespread Cobalt Strike attack software, research released Wednesday shows.

Cobalt Strike is a legitimate security tool used by penetration testers to emulate malicious activity on a network. In recent years, malicious hackers working on behalf of a nation state or in search of profit have increasingly embraced the software. For both defenders and attackers, Cobalt Strike offers an incredible suite of software packages that enable infected computers and attacker servers to interact in a highly customizable manner.

The main components of the security tool are the Cobalt Strike client – also known as a beacon – and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrated. An attacker starts by booting up a computer running Team Server that has been configured to use certain “malleability” adjustments, such as how often the client should report to the server or certain data should be sent regularly.

The attacker then installs the client on a target computer after exploiting a vulnerability, tricking the user, or otherwise gaining access. From then on, the client uses these customizations to maintain constant contact with the computer on which the Team Server is running.

The link that connects the client to the server is known as the web server thread, which handles communication between the two machines. The most important communications are “tasks” that servers send to instruct clients to run a command, get a list of processes, or do other things. The client then responds with a “response”.

Feel the pressure

Researchers at the security company SentinelOne recently found a critical bug in Team Server that makes it easy to permanently take the server offline. The bug works by sending fake responses to a server that “squeeze every bit of available memory out of the C2’s web server thread,” SentinelOne researcher Gal Kristol wrote in a post.

Kristol went on to write:

This would allow an attacker to exhaust the Cobalt Strike server’s memory (the “team server”) so that the server would stop responding until it was restarted. This means that live beacons cannot communicate with your C2 until the operators restart the server.

However, restarting is not sufficient to address this vulnerability as it is possible to attack the server repeatedly until it is patched or the configuration of the beacon is changed.

Both of these make the existing live beacons obsolete as they cannot communicate with the server until they have been updated with the new configuration. Therefore, this vulnerability has the potential to significantly affect operations.

To carry out the attack, you just need to know some of the server configurations. These settings are sometimes embedded in malware samples available from services such as VirusTotal. The configurations are also accessible to anyone with physical access to an infected client.


Black hats, watch out

To make the process easier, Sentinel One released a parser that captures configurations captured from malware samples, dumps, and sometimes the URLs that clients use to connect to servers. As soon as an attacker has the settings, he can use a communication module contained in the parser to impersonate a Cobalt Strike client belonging to the server.

Overall, the tool offers:

  • Parsing the embedded malleable profile instructions of a beacon
  • Parsing the configuration of a beacon directly from an active C2 (like the popular nmap script)
  • Basic code for communication with a C2 as a fake beacon

The fake client can then send responses to the server, even if the server did not send a corresponding task first. A bug in Team Server software tracked as CVE-2021-36798 prevents responses with incorrect data from being rejected. One example is the data that is attached to a screenshot that the client uploads to the server.

“By manipulating the size of the screenshot, we can assign any memory size to the server, the size of which is completely under our control,” wrote Kristol. “By combining all of our knowledge of the beacon communication flow with our configuration parser, we have everything we need to forge a beacon.”

While exploits can be used against white hat and black hat hackers alike, the latter category is probably the most vulnerable category. This is because most professional security defenders pay for licenses to use Cobalt Strike, while many malicious hackers obtain pirated copies of the software on the contrary.

A patch made available by Cobalt Strike inventor HelpSystems will take some time before it gets to people who are pirating the software. It is now available to licensees.

Offer image from Getty Images