During the recent BlackHat security conference, researchers from SentinelOne revealed a series of DoS vulnerabilities that could have blocked the beacon from communicating with its command and control (C2) server.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- Protect your devices with these best antivirus software
- Here are the best ransomware protection tools
- These are the best malware removal software on the market
In essence, the vulnerabilities could be used by security researchers to perpetrate a DOS attack on the threat actors’ infrastructure.
Shutting down a good thing
The vulnerabilities collectively tracked as CVE-2021-36798, and dubbed Hotcobalt, kick in when a fake beacon sends fake task replies to the C2 server.
The fake tasks, which SentinelOne demonstrated in the form of abnormally large screenshots, drain all memory from the C2 server and cause it to crash, disrupting the ongoing operation.
Moreover the vulnerabilities are so severe that even restarting the server doesn’t help, since the fake beacons can continue to send memory draining tasks, crashing the server repeatedly.
When used by the people on the right side of the law, the vulnerabilities would have dealt a crippling blow to any malicious campaign that used Cobalt Strike.
“Although used every day for malicious attacks, Cobalt Strike is ultimately a legitimate product, so we have disclosed these issues responsibly to HelpSystems and they have fixed the vulnerabilities in the last release,” reasons SentinelLabs.
- These are the best endpoint protection tools