Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software

Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software

Cobalt Strike Hacking Software

HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security patch to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems.

Cobalt Strike is a commercial red-team framework used primarily for adversary simulation, but cracked versions of the software have been actively abused by ransomware operators and espionage-focused advanced persistent threat (APT) groups.

The post-exploitation tool consists of a team server, which acts as a command-and-control (C2) component, and a beacon, standard malware used to establish a connection to the team server and drop payloads in the next step.

Cyber ​​security

The problem, tracked as CVE-2022-42948affects Cobalt Strike version 4.7.1, and stems from an incomplete update released on September 20, 2022, to address a cross-site scripting (XSS) vulnerability (CVE-2022-39197) that could allow the remote execution of code.

“The XSS vulnerability could be triggered by manipulating some input fields in the client-side user interface, by simulating a Cobalt Strike implant check-in, or by connecting to a Cobalt Strike implant running on a host,” said IBM X-Force researcher Rio Sherri and Ruben Boonen in a recipe.

However, it was found that remote code execution could be triggered in specific cases by using the Java Swing framework, the graphical user interface used to design Cobalt Strike.

“Certain components of Java Swing will automatically interpret all text as HTML content if it starts with ,” Greg Darwin, software development manager at HelpSystems, explained in a post. “Disabling automatic parsing of HTML tags across the entire client was enough to mitigate this behavior.”

Cyber ​​security

This means that a malicious actor can exploit this behavior using HTML code use it to load a custom payload hosted on a remote server and inject it into the notepad as well as the graphical file explorer menu in the Cobalt strike UI.

See also  Beermen snap Bay Area to stay alive in semis

“It should be noted here that this is a very powerful exploit primitive,” IBM researchers said, adding that it could be used to “construct a full-fledged cross-platform payload that would be able to execute code on the user’s machine independently of operations. system flavor or architecture.”

The findings come just over a week after the US Department of Health (HHS) warned of the continued weaponization of legitimate tools such as Cobalt Strike in attacks targeting the healthcare sector.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *