Cobalt-Strike
Cyber Breach

Fake Windows Exploits Target Infosec Community With Cobalt Strike

Short on time? Listen instead.

Researchers and cybersecurity experts were targeted earlier this year in an attack meant to sidestep common sense and gain access to protected systems and networks via Proof-of-Concept exploits. The attack was posted using GitHub, a developer website that is an open-source repository for code and information. 

What Happened

In May of this year, a targeted attack distributed on the popular developer’s website GitHub was exposed by researchers. The attack was in the form of two files purported to be Microsoft Windows Proof-of-Concept (POC) exploits against a recent patch from Microsoft. The two patches used as bait were remote code execution vulnerabilities related to remote code execution.

The files uploaded to GitHub were exploits, but not the ones expected. Instead, they leveraged the researcher’s desire to advance cybersecurity by downloading and investigating these types of files to close gaps in protection into a direct attack on their networks and systems. 

The ingested attack files install software Cobalt Strike, a legitimate attack emulation tool used to simulate an attack from a threat actor. However, it is also used by real threats to gain access in the real world as it is available for download (at a price) from the company Fortra. The tool is used worldwide to simulate an actual attack via exploitations and covert channels by penetration testers, security researchers, and those trying to learn the processes used to gain access to systems and networks.

Once the malicious files were discovered, they were quickly removed from the GitHub repository, and the offending poster’s account was removed.

What are Proof-of-Concept exploits?

PoCs, in this case, are exploit documents and files that describe how a system or network could be compromised after an update or patch has been issued for other potential vulnerabilities. The files may contain actual programming code that shows how the exploit opens up a system and then takes advantage of the open system to allow further attacks or data exploitation. 

These code examples can be set up to detail what actions it takes, logs access attempts, and more, thus giving researchers and security experts the ability to see an exploit in an effort. Information like this is beneficial as proof that a vulnerability exists and that the vulnerability must be mitigated or remediated. It may even allow security to build protections or code changes that block the exploit completely.

Why target researchers and security?

The professional researchers and security personnel that protect our data systems and information are targets for all kinds of attacks, including false information attacks like this one. We are the people that work every day to ensure that our systems and networks are protected against attacks from those who would threaten them, as well as the data our organizations collect and use. 

Other types of attacks are as simple as false job notices, emails attempting to get us to download malicious software or have us go to trapped websites, and social engineering intended to fool us into giving up information that shouldn’t be. In many cases, these are attacks specifically designed to get us to expose ourselves or the companies we work for so that the attacker can find ways to get into our client’s networks and information. Those attacks are profitable as they may be able to locate the weaknesses we have discovered in our client’s infrastructure that haven’t been fixed as of the attack.

It is also possible that the attacker just wants to promote their skills to their friends and compatriots. “I broke into a cybersecurity guy’s account and hacked his entire network, and he didn’t even know it! LOL!”

How will this Affect You?

More than likely, this set of attacks will not have affected you directly or indirectly. Still, it is essential to understand that EVERYONE is a potential target for malicious cyber attacks, not just small companies, large ones, or the average person. Any time we open our systems or networks to gather information from the outside world or let someone access them, we also gain the potential for an attack. Sometimes, we don’t even have to be part of the process, as someone else can find their way in on their own.

Caution, knowledge, and a relentless desire for self-preservation are great places to start defending yourselves and others from attack.

What should you do

Taking the time to protect yourself to the best of your ability is of the utmost importance. Research your providers of information, and don’t accept the assumption that just because someone is an “expert” or well-known, it means they are immune to mistakes that can compromise their networks and yours. 

You and your employees are the first line of defense in your organization. It is good to know your providers are experts and knowledgeable, but to use an old Russian proverb: “Trust, but verify.” Making sure that your providers are also working not to expose their networks and data is a good practice to keep in mind, and they should be happy to give you a rundown on how they do so. You likely won’t get the deepest dive into their practices and procedures, but a high-level overview. 

If you are a researcher or security professional, don’t assume you are immune. You are sometimes the most in-demand target for those who want to make a name for themselves in the threat actor realm by “taking down” the big guy. Protect yourself, just as you would protect your clients.

Northstarr System Solutions, Ltd. and You 

We are an IT and cybersecurity company with decades of experience and knowledge to back our work, but we also know that we are targets just as our clients are. We use proven methods of security, constantly learning from those around us and from any exposures we discover. With multiple persons and systems overlapping and watching for mistakes, we protect ourselves and you from attacks like the one in this post. We can help you to do the same by creating layers of protection around your networks, systems, and data.

To find out more about how we can help, visit our website or call (888) 767-2210 to set up an appointment.  We look forward to meeting with you!