Cybersecurity firm SentinelOne has discovered a new Cobalt Strike DoS vulnerability. The vulnerability allows malicious parties to launch a DoS attack on corporate servers and can seriously disrupt ongoing operations.
Cobalt Strike is a popular HelpSystems framework designed for Red Team operations. At the same time, many APTs (advanced persistent threats) and malicious parties also use the framework. SentinelOne has already registered countless attacks with so-called Cobalt Strike Beacons at customers. While the SentinelOne agent catches such attacks, there are cases where some devices are not protected and then get infected.
SentinelOne, therefore, wants to develop a new defence tactic that targets attacks on C2 servers. Specifically, several vulnerabilities were discovered on those servers, reported in CVE-2021-36798. CVE or Common Vulnerabilities and Exposures is a database with information about computer systems and network vulnerabilities.
Earlier, another vulnerability came to light in Cobalt Strike. In practice, that vulnerability allowed remote code execution on a server. Since the server’s code is written in Java and is not very large, SentinelOne said the bug was “not that hard to find.” However, the leak allowed attackers to disrupt Beacon communications. That eventually led to the crash of the server’s web thread that handles HTTP stagers and Beacon communications.
Although Cobalt Strike is used every day for malicious attacks, it is a legitimate product. Developer HelpSystems has therefore been notified of the issues by SentinelOne, and the vulnerabilities in question are said to have been fixed in the latest release.