Google Clamps Down on Cobalt Strike Abuses
Google announced earlier this month that it had removed the ability to run JavaScript from inside. HTML tags on its advertisement platform, in an effort to clamp down on ad fraud. And abuse perpetrated by cryptomining malware like Cobalt Strike and Coinhive. But what does this change mean for legitimate advertisers? And how will it impact larger security issues surrounding Javascript execution? Security expert Paul Roberts weighs in below.
Google’s response to Cobalt Strike abuses
Earlier this year, Google made a critical update to its ethical sourcing policy for cobalt. Which is used in lithium-ion batteries. The new policy will now require all of the company’s suppliers to disclose. Their cobalt suppliers and mines as well as to conduct human rights due diligence reviews of those suppliers and mines. This important update is just one example of Google making a conscious effort to make sure that it can’t be accused of being complicit in human rights abuses. Other steps that the tech giant has taken include investing in renewable energy sources like wind and solar power, lobbying for net-zero emissions legislation, and using green building practices when constructing new data centers.
What is Cobalt Strike?
Cobalt Strike is a penetration testing software developed by a company called RiskSense that allows an attacker to gain access to a target’s machine. The attack typically starts by getting the victim to visit a malicious website or click on a malicious link. Which installs malware and gives the attacker remote access to their machine. This is often done through phishing, social engineering, and other means. Users may not even know they’re infected until they start noticing unusual behavior in their computers.
How has it been abused?
Cobalt is a key ingredient in lithium-ion batteries that power electric vehicles and phones. Unfortunately, the mining of cobalt often leads to human rights abuses. Including child labor and unsafe working conditions.
A recent study found that over half of the global supply of cobalt comes from the Democratic Republic of Congo (DRC). Where one in ten children work in mines despite the DRC having outlawed child labor for those under 18 years old in 2012.
Cobalt can be hard to trace back to its origin due to processes like smelting and refining, which can mix together different sources or batches of materials. So even if companies pledge not to use any cobalt mined by children. They may still be using some from DRC mines that employ children anyway.
What does this mean for the future of Cobalt Strike?
We know that the refining of cobalt from an ore to a metal can involve serious human rights abuses. These can include labor trafficking, hazardous working conditions, and child labor. In response to this issue, Google Cobalt Strike has announced that it is banning the purchase of cobalt mined by hand in Congo. This will mean that in order to sell cobalt, mining companies will need to provide evidence. That they are not using child labor and are complying with local regulations. However, even with these changes, there is still a long way to go before we see a fair system in place for all parties involved.
GCIT’s efforts to signature the variations of leaked/cracked versions of Cobalt Strike is a great start for the DFIR community. The rules provided specifically call out each version, the critical strings/naming conventions for the defaults of that version, as well as some of the critical aspects of assembly associated with those actions. This provides a very high fidelity detection of those versions associated, which are being widely spread and used by threat actors. This information takes a lot of the heavy lift away from internal teams that might not have the technical skillset or resources to triangulate onto the discernable bits effectively.
Considering that these threat actors typically target the softer targets, which as stated above might not have the resources or internal tribal knowledge to signature CS, these rules are going to impact the Return on Investment (or ROI) of criminal groups. With a less profitable avenue to be exploited on these medium to smaller businesses, some groups will have to shift tactics while others might fade away from prominence. This is great because simple operators will have a harder time getting into these networks with their “large net” exercises.
The flip side is that more advanced groups will easily bypass a good portion of these detections since they are publicly available. One of the harder aspects of running a good Red Team operation is to safely identify defensive capabilities and maneuver around them. With these detections available, not only can more advanced threat actors roll their evasions into their baseline, but they could also use these detections to mimic a less sophisticated actor in order to divert blame of who attacked a target.
The VirusTotal Collections function is going to be a welcome extension to VT’s capability. This will more than likely provide a better “one stop shop” lens of what a particular APT does on a regular basis and also will allow individuals without an intelligence feed/team to explore what is currently going on in the wild. A net positive to a tool that already has provided a lot of good information to the DFIR community (as well as provided interesting intelligence and capabilities to the offensive community as well).