Cobalt Strike critical bug leaves botnet servers vulnerable to takedown

You did something bad, bad.
Enlarge / You did something bad, bad.

Governments, vigilantes and hackers have a new way to disrupt botnets running widely used Cobalt Strike attack software, courtesy of an investigation published Wednesday.

Cobalt Strike is a legitimate security tool used by penetration testers to emulate malicious activity on a network. In recent years, malicious hackers, working on behalf of a nation-state or in pursuit of profit, have increasingly adopted software. For both defender and attacker, Cobalt Strike provides a collection of nutty soup software packages that allow infected computers and attacking servers to interact in highly customizable ways.

The main components of the security tool are the Cobalt Strike client, also known as the Beacon, and the Cobalt Strike Team Server, which sends commands to the infected computers and receives the data they exfiltrate. An attacker begins by launching a machine running Team Server that has been configured to use specific “malleability” customizations, such as how often the client must report to the server or specific data to send periodically.

The attacker then installs the client on a target machine after exploiting a vulnerability, tricking the user, or gaining access by other means. From then on, the customer will use these customizations to maintain persistent contact with the machine running Team Server.

The link that connects the client to the server is called the web server thread, which handles the communication between the two machines. The main communication is the “tasks” that servers send to instruct clients to run a command, get a list of processes, or do other things. Then the customer responds with a “reply”.

Feeling the squeeze

Researchers at security firm SentinelOne recently found a critical bug in the Team Server that facilitates permanent server disconnection. The bug works by sending bogus responses to a server that “squeeze every bit of available memory out of the C2 web server thread,” SentinelOne researcher Gal Kristol wrote in a mail.

Kristol went on to write:

This would allow an attacker to cause memory exhaustion on the Cobalt Strike server (the “Teamserver”) by causing the server to become unresponsive until it is rebooted. This means that the live beacons cannot communicate with your C2 until the operators restart the server.

However, rebooting will not be enough to defend against this vulnerability, as it is possible to repeatedly target the server until a patch is applied or the Beacon settings are changed.

Either of these will render existing live beacons obsolete as they will not be able to communicate with the server until they are updated with the new settings. Therefore, this vulnerability has the potential to seriously interfere with ongoing operations.

All that is needed to carry out the attack is to know some of the server settings. These settings are sometimes embedded in malware samples available from services like VirusTotal. The settings can also be obtained by anyone with physical access to an infected client.

Black hats, watch out

To facilitate the process, Sentinel One published a analyzer which captures settings obtained from malware samples, memory dumps, and sometimes the URLs that clients use to connect to servers. Once in possession of the configuration, an attacker can use a communication module included with the scanner to impersonate a Cobalt Strike client that belongs to the server.

In total, the tool has:

  • Analysis of the embedded malleable profile instructions of a beacon
  • Analysis of the configuration of a beacon directly from an active C2 (such as the popular nmap script)
  • Basic code to communicate with a C2 as a dummy beacon

The fake client can send responses to the server, even when the server didn’t send any corresponding tasks first. A bug, logged as CVE-2021-36798, in the Team Server software prevents it from rejecting responses that contain malformed data. An example is the data that accompanies a screenshot that the client uploads to the server.

“By manipulating the size of the screenshot, we can make the server allocate an arbitrary size of memory, the size of which is fully controllable by us,” Kristol wrote. “By combining all the knowledge of the Beacon communication flow with our configuration analyzer, we have everything we need to fake a Beacon.”

While it is true that exploits can be used against white hat and black hat hackers alike, the latter category is likely to be the most threatened by vulnerability. This is because most professional security advocates pay for licenses to use Cobalt Strike, while many malicious hackers, on the contrary, obtain pirated versions of the software.

A patch made available by the creator of Cobalt Strike, HelpSystems, will take time before people who hack the software are leaked. It is now available to license holders.

Image listing by fake images

Leave a Reply

Your email address will not be published. Required fields are marked *