Cybersecurity researchers have discovered multiple denials of service (DoS) vulnerabilities in widespread penetration testing tool Cobalt Strike that can be exploited by malicious users,
Despite Cobalt Strike’s noble intentions, it is popularly used by threat actors, usually to deploy payloads known as beacons to gain continued remote access to compromised systems.
During the recent BlackHat security conference, researchers from SentinelOne revealed a series of DoS vulnerabilities that could have blocked the beacon from communicating with its command and control (C2) server.
In essence, security researchers could use the vulnerabilities to perpetrate a DOS attack on the threat actors’ infrastructure.
Shutting down is a good thing.
The vulnerabilities collectively tracked as CVE-2021-36798 and dubbed Hotcobalt kick in when a fake beacon sends fake task replies to the C2 server.
The fake tasks, which SentinelOne demonstrated in abnormally large screenshots, drain all memory from the C2 server and cause it to crash, disrupting the ongoing operation.
Moreover, the vulnerabilities are so severe that even restarting the server doesn’t help since the fake beacons can continue to send memory draining tasks, crashing the server repeatedly.
When used by the people on the right side of the law, the vulnerabilities would have dealt a crippling blow to any malicious campaign that used Cobalt Strike.
“Although used every day for malicious attacks, Cobalt Strike is ultimately a legitimate product, so we have disclosed these issues responsibly to HelpSystems and they have fixed the vulnerabilities in the last release,” reasons SentinelLabs.