Anomaly in pen-test tool made malware servers visible

For four years, a security company was able to track command and control (C&C) traffic generated by several well-known hacking groups thanks to a tiny anomaly in a penetration-testing tool.

This news emerged in a write-up by Fox-IT, which described how in 2015 one of its researchers spotted a small ‘whitespace’ error in HTTP responses from the ‘beacon’ NanoHTTPD-based web server that can be implanted inside a target network as part of a tool called Cobalt Strike.

Cobalt Strike is a legitimate pen-testing tool used to simulate adversaries in red team testing scenarios. Unfortunately, in recent years it’s also acquired a following among cybercriminals who use it after first breaking its copy protection.

It’s a ready-made platform that gives an adversary (legitimate or otherwise) a foothold through which they can control sideways movement in the network and serve payloads from the comfort of a GUI.

However, the harmless and almost imperceptible whitespace flaw allowed Fox-It to turn this communication into an Intrusion Detection System (IDS) fingerprint which let its analysts see public Cobalt Strike servers.

That remained true until early January, when Cobalt Strike v3.13 finally noticed and fixed an issue which Fox-It believes has been in the software since 2012.

As far as Fox-IT is concerned, this represents a pyrrhic victory for security. Clearly, anything that could, in theory, allow a blue team defender to identify a red team incursion during a pen-testing exercise was going to be removed by Cobalt Strike’s makers.

But assuming cybercriminals implement the update, the fix has also removed the possibility of tracking threat actors using the tool, said to include Carbanak/Fin7, and espionage groups APT29 (Cozy Bear) and China’s APT10 to name only a few.

Indeed, the number of servers featuring the whitespace issue had already declined since the start of 2019. Observes Fox-It:

The change log entry [for v3.13] refers to the removed space being ‘extraneous’, in a literal sense meaning not pertinent or irrelevant. Due to its demonstrated significance as fingerprinting mechanism, this description is contested here.

In total, the company had uncovered 7,718 unique Cobalt Strike team server or NanoHTTPD hosts between January 2015 and February 2019.

Blame game

Is it fair to blame Cobalt Strike for the fact that cybercriminal groups are using it?

Not really. The whole point of pen-testing tools (of which Cobalt Strike is only one) is that the advantages of using them to improve security outweigh any negatives arising from their misuse.

Fox-It recommends that organisations look at the list of whitespace servers it detected to check whether they have been targeted in the past.