New research - SentinelLabs’ discovery of new Cobalt Strike DoS vulnerabilities
August 2021 by SentinelLabs
SentinelLabs’ report, released, on the discovery of new Cobalt Strike Denial of Service vulnerabilities that allows APTs and malicious actors to leverage the adversary simulation software to perpetrate attacks that are very real?
Cobalt Strike is one of the most popular attack frameworks designed for Red Team Operations. However, the latest versions of the company’s server contain multiple DoS vulnerabilities (CVE-2021-36798) that make it possible to interfere with ongoing operations.
Key findings include:
One of the most famous features of Cobalt Strike is its Malleable C2 server. In short, this feature lets the attacker encode (“transform” in Cobalt’s language) all the beacon’s HTTP communications. SentinelOne found a way to publish a POC python script that can fake a Beacon; parsing a Beacon’s configuration and using the information stored in it to register a new random Beacon on the server before iteratively sending fake task replies that squeeze all available memory from the C2’s web server thread. This leads to the crashing of the server’s web thread that handles HTTP stagers and Beacon communication.
This would allow an attacker to cause memory exhaustion in the Cobalt Strike server (the “Teamserver”) making the server unresponsive until it’s restarted. This means that live Beacons cannot communicate to their C2 until the operators restart the server.
In brief, the DoS vulnerabilities discovered can render existing Beacons unable to communicate with their C2 server, prevent new beacons from being installed, and have the potential to interfere with ongoing operations and even halt operations all together.
SentinelOne has released a new Python library to help generically parse Beacon communication in order to help the research security community. The company hopes this research will help encourage further research into the niche area of the robustness of attack frameworks and expand the range of available options when facing their consistent abuse.
Although Cobalt Strike is ultimately a legitimate product, it’s used every day for malicious attacks. SentinelOne has disclosed the issues it has discovered to HelpSystems, which has fixed the vulnerabilities in the last release.