HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security update to address a remote code execution vulnerability that allows attackers to take control of the target system.
Cobalt Strike is a commercial redteam framework primarily used for adversary simulation, although cracked versions of the software are actively used. abused It is similarly attacked by ransomware operators and Advanced Persistent Threat (APT) groups focused on espionage.
of Post-exploit tools It consists of a team server acting as a command and control (C2) component and a beacon, the default malware used to create a connection to the team server and drop the payload for the next stage.
The issue is tracked as CVE-2022-42948which affected Cobalt Strike version 4.7.1 and released on September 20, 2022, Cross-Site Scripting (XSS) Vulnerability (CVE-2022-39197) can lead to remote code execution.
According to IBM X-Force researchers Rio Sherri and Ruben Boonen, “XSS vulnerabilities can be exploited by manipulating client-side UI input fields, simulating Cobalt Strike implant check-ins, or Can be triggered by hooking a running Cobalt Strike implant. Said in writing.
However, we have found that in certain cases remote code execution can be triggered. Java Swing frameworkA graphical user interface toolkit used to design Cobalt Strike.
“Certain components within Java Swing are If it starts with , we automatically interpret it as HTML content,” said Greg Darwin, software development manager at HelpSystems. explained in the post. “Simply disabling HTML tag auto-parsing client-wide was enough to mitigate this behavior.”
This means that malicious actors can abuse this behavior. HTML using it to load a custom payload hosted on a remote server, memo field So does the graphical file explorer menu in the Cobalt Strike UI.
“Keep in mind that this is a very powerful exploit primitive,” the IBM researchers said, adding that “a fully functional cross It can be used to build platform payloads,” he added. The flavor or architecture of the system. ”
The findings came just over a week after a US Department of Health and Human Services (HHS) study. warned Legitimate tools such as Cobalt Strike continue to be weaponized to target the healthcare sector.