Alleged source code of penetration testing software Cobalt Strike published on GitHub
Source code allegedly belonging to commercial penetration testing software Cobalt Strike has been published on GitHub, potentially providing a new path for hackers to attack companies.
Penetration testing, usually abbreviated as pen testing, has legitimate uses as a security tool to test security but can also be used by bad actors to attack a company. Ethical pen testing involves simulated attacks on a computer system to evaluate the security of the given system. In the hands of hackers, the same pen testing software can be used to identify security issues that can be exploited.
Cobalt Strike, which pitches itself as a legitimate pen testing solution, has been controversial for years thanks to its use by hacking groups, though they had to pay $3,500 per year for a license to use the software or use a pirated copy. Malpedia has a page dedicated to Cobalt Strike, noting that it allows an attacker to deploy an agent named “Beacon” on the victim’s machine. The alleged code could potentially allow more hackers to use the software for nefarious purposes or develop new versions of the product.
Whether the code is actually Cobalt Strike’s or not is subject to dispute. Bleeping Computer reported today that the code appears to be the Java code from the software that has been manually decompiled and then edited to fix any dependencies and remove the license check so it could be compiled. “Even though it is not the original source code, it is enough to be of serious concern to security professionals,” the report noted.
The code said to have appeared on GitHub 12 days ago and has already been forked 172 times. The timing may be relevant, since a major attack involving Cobalt Strike and targeting Microsoft Teams was reported Nov. 10. Another attack that took advantage of unpatched Oracle WebLogic servers involving Cobalt Strike was reported Nov. 5.
“While the allegations that the Cobalt Strike source code was posted to GitHub are unconfirmed, it certainly appears to at least be derivative of Cobalt Strike’s product,” Chester Wisniewski, principal research scientist at cybersecurity company Sophos Group plc, told SiliconANGLE. “This is unlikely to have any short-term consequence regarding criminal usage of Cobalt Strike as they are simply using stolen copies to begin with.”
Where the risk lies, he said, is in the ability to update such a powerful tool with newly discovered vulnerabilities. “Only time will tell if this has an impact, but I suspect it will be business as usual for criminals for now,” he said. “This is, however, even more reason for organizations to ensure they are patching their systems as quickly as possible.”