Top | |
Newsletter 7/30/2022 |
Back to Contents A Printable PDF of this post is available here. |
Cobalt Strike: The Warning Sign of Worse Things Yet To Come
A Windows Command Prompt Screen
On July 28, 2022, "Cybersecurity
research company SentinelOne," published news that
quickly spread among the digerati. The Microsoft antimalware
application, Windows Defender, had become compromised. More
specifically, the Windows Defender Command Line tool had fallen victim
to a sideloading scheme that has the Command Line Tool "being abused to load Cobalt Strike beacon on to potential victims,"
neowin.net reported it, July 29, 2022. And then, in
turn, as
BleepingComputer reported, July 29, 2022, that
vulnerability is currently exploited to infect victim computers with
LockBit ransomware. You can perform various functions in Microsoft Defender Antivirus using the dedicated command-line tool mpcmdrun.exe. This utility is useful when you want to automate Microsoft Defender Antivirus tasks. You can find the utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. Run it from a command prompt. So, for instance, if a network administrator wanted to enable automatic malware scanning of desktops on the network, she might configure that task using the tool.
The actions that initiated the compromise itself happened months ago.
As SentinelOne researchers found, "The
initial target compromise happened via the Log4j vulnerability against
an unpatched VMWare Horizon Server." Readers may
remember the near panic security researchers and experts were in around
New Years. The Log4j logging app was used in many different
applications and device interfaces, and then went weeks without
effective patching.
1. Once the attackers gained initial access via the Log4j
vulnerability, reconnaissance began...
Cobalt Strike itself is "a legitimate
penetration testing suite with extensive features popular among threat
actors to perform stealthy network reconnaissance and lateral movement
before stealing data and encrypting it," according to
BleepingComputer, ibid. Any tool of any kind
can be beneficial or destructive, depending who wields the
tool and why. Most importantly, however, the Log4j event is not over. The Board assesses that Log4j is an “endemic vulnerability” and that vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains.
Despite all the in-depth reporting surrounding Log4j, and the universal
clarion call to patch and patch again, the CSRB concluded in July 2022 that: "organizations
still struggled to respond to the event, and the hard work of upgrading
vulnerable software is far from complete across many organizations."
Download the complete CSRB report in PDF here. "The key difference between sideloading and a normal installation is that in sideloading, the application has not been approved by the developer of the device’s operating system.” It is the ease in which hackers can inject malware into the otherwise legitimate applications that has Google, and Apple in particular, very anxious about the "Open App Markets Act, a bill that targets dominant app stores." As Apple contends, and all evidence shows: ...enabling sideloading would result in a flood of new attacks on iPhone users from bad actors eager to access the sensitive data stored on consumer devices. Predators and scammers would be able to "side-step Apple's privacy and security protections completely," with the bill allowing "malware, scams, and data-exploitation to proliferate. Finally, to my dear readers, who may now doubt the confidence that this blogger and others have placed in Windows Defender, my advice is to ensure that your installation of Windows Defender is the most current version available. That's the topic of the next post.
Now everything is upside down |
Gerald Reiff |
Back to Top | ← previous post | next post → |