The aggressive adaptation of popular red team tools like Cobalt Strike and Metasploit is causing massive disruption, emerging as a prominent strategy in malware campaigns.
According to a study by threat-hunting firm Elastic, known for its powerful search solutions, these two common penetration testing tools are set to account for nearly half of all malware activity in 2024.
“The most frequently seen malware families are primarily associated with offensive security tools (OSTs) – a significant increase from last year,” Elastic Security Labs researchers said in a report. “Cobalt Strike, Metasploit, Sliver, DONUTLOADER, and Meterpreter represent nearly two-thirds of all the malware we saw last year.”
Some of the key findings from Elastic’s research include businesses not over-preparing cloud environments leading to higher adversarial actions, and attackers moving from evasive defenses to direct access.
A good defense becomes a very good offense
Cobalt Strike (27%) and Metasploit (18%) were the two most commonly seen OSTs in Elastic’s survey. Other such tools include Silver (9%), DonutLoader (7%), and Meterpreter (5%).
The ability to use a tool specifically designed to identify vulnerabilities in business environments brings a significant advantage to adversaries, the researchers revealed. In addition, making such a tool open source may exacerbate challenges for enterprise security teams by increasing its accessibility to malicious actors.
“Cobalt Strike and Metasploit have both been involved in threat activity for a long time, Metasploit is open (source),” said Devon Kerr, director of Elastic Security Labs. “But we’re also seeing a new flavor of human-derived malware. Silver, in particular, made a big show this year.”
Kerr also explained that these tools are particularly attractive to enemies with less technical skills. “They can go and use these tools, and in some areas, they will work automatically, and in others, with some modification, they will be successful,” Kerr said.
In addition, it includes the process of accurately defining the origin of these malicious activities, Kerr added.
Additionally, the study noted that the majority of malware was installed on Windows systems (66%) due to the widespread availability of the operating system, followed by Linux hosts (32%). macOS is the least affected with less than 2% malware detection.
Malware masquerading as legitimate software (trojans) was the most commonly seen category (82%) of malware.
Businesses fail to do due diligence
A large number of businesses using popular cloud environments have failed the CIS guidelines on secure configuration. The overall ranking scores for AWS, Google Cloud, and Microsoft users are ranked 57, 47, and 45 out of 100, respectively.
“When we completed the failed posture test for AWS, we saw that 30% of all failed performance checks were related to S3,” the researchers said, adding that the failed posture test is a situation where the business fails the prescribed posture. Networking (23%) and IAM (15.5%) were other weak areas for AWS.
Accounts for storage (47%) and networks (15%) remained relevant to Microsoft Azure customer environments as they failed to evaluate the majority of deployments performed in those environments. Google Cloud customers have gaps in BigQuery (44%), Virtual Machines (29%), and network workflows (15%), the report noted.
Another emerging trend identified in the study was threat actors moving from defensive avoidance practices, as they may be well-calculated, to take legitimate credentials by brute force or otherwise to infiltrate.
“The findings of the 2024 Elastic Global Threat Report reinforce a behavior we continue to see: security technologies are working. Our research shows that Defense Evasion has decreased by 6% since last year,” said Jake King, head of threat intelligence and security at Elastic. “Adversaries are increasingly focused on abusing security tools and investing in a legal framework to ensure they work for their purposes, reinforcing the need for organizations to have well-configured security policies and capabilities.”
Twenty-three percent of all malicious cloud behavior is caused by access to evidence, especially in Microsoft Azure, and 35% of them are carried out with powerful techniques, 12% up from last year, such as data mining, password spraying, and dictionary attacks, the report added.
Source link