Dviros (6)

Last Login: August 23, 2021
Assessments
2
Score
6

Dviros's Contributions (2)

Sort by:
Filter by:
2
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

As Cobalt Strike’s source code got leaked in November 2020, it seems that versions 4.2 and 4.3 are both vulnerable to a Denial of Service attack that occurs when a new beacon registers with the Teamserver, thus causing a memory load and server crash.
The attacker need to the know the relevant beacon configuration prior to the execution, but this can be done rather easily with a multitude of tools released over GitHub, that performs config extraction from known Cobalt Strike C2 servers.
Cobalt Strike has become a tool which is used commonly by different threat actor groups worldwide, due to its availability, capabilities and effectiveness in covert channels.

Sentinel One have researched, reported and released a PoC code that triggers this vulnerability:
https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/

As the PoC code got released, it is safe to assume that vulnerable C2 servers worldwide are being attacked.

To fix this issue, version 4.4 was released.

2
Ratings
Technical Analysis

Vulnerability is easy to exploit – by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges.
Several exploits were already released, allowing to parse the hashes while copying the SAM\SECURITY\SYSTEM hives:
https://github.com/cube0x0/CVE-2021-36934
https://github.com/HuskyHacks/ShadowSteal

This vulnerability occurs due to the permissive “C:\Windows\System32\Config*.*” privileges, “BUILTIN\Users”, allowing any user to read and execute the files.