On May 19th, 2022, researchers identified two Proof-of-Concept exploits (malicious software) hosted by the popular software development hosting provider, GitHub. The software targeted members of the InfoSec community in an attack known as a Cobalt Strike.
The two files were disguised as Windows vulnerabilities fixed by Microsoft in April 2022. It is unknown how many people may have executed the malicious files and if any systems were compromised, but it is likely that the files will be tested in a sandbox environment so that any potential impact will be limited.
What is InfoSec?
InfoSec is the shortened name for Information Security and refers to the community of people committed to preventing cyberattacks or at least reducing the likelihood of such events. If attacks like this occur, this community also works to mitigate any potential impact.
InfoSec commits to a focus known as the CIA Triad, and the core of this focus is protecting data integrity, confidentiality, and availability. In addition to this, the community also implements efficient policies with structured risk management.
What is a Cobalt Strike, and how did it happen?
A Cobalt Strike is a public red team command-and-control framework. The term ‘red team’ refers to a group that plays the role of an enemy or competitor launching a cyberattack for security purposes.
Threat actors can use a Cobalt Strike to connect with a network, allowing them to access data and maintain a persistent connection channel. In this case, the connection could have been made when the malware (disguised as fake Windows files) was executed.
How was this attack executed?
The individuals behind the attack disguised the files as the Proof-of-Concept, Windows remote code execution vulnerabilities CVE-2022-24500 and CVE-2022-26809.
Generally, when Microsoft creates a patch for a vulnerability, InfoSec members conduct an analysis on it and release Proof-of-Concept software on GitHub to provide access to the rest of the community. InfoSec researchers can use Proof-of-Concept exploits to test their own systems and demonstrate to administrators that they need to install new security updates. Unfortunately, attackers can take advantage of this process to disguise malicious files and gain access to information and networks.
This particular file was a .NET application that exploited IP addresses, creating a backdoor program that allowed access to a person’s device and network. The application executes a file that then initiates a gzip-compressed PowerShell script. This type of attack is nothing new, but as it would appear, some members of the InfoSec community downloaded the well-disguised files.
What action was taken?
Fortunately, the attack was identified quickly, resulting in swift action and prevention.
GitHub has since removed the files from the repositories and deleted the account that created them. The account was owned by a user named ‘rkxxz.’
News of the attack was quickly reported on Twitter and hacking forums, and action was taken promptly and effectively.
What did the attackers have to gain?
The attacker(s) could have been looking to gain access to any vulnerability findings the victim may have been working on. However, the more likely scenario is that they were attempting to gain access to the network of a cybersecurity company.
By achieving this, the attacker would have likely had access to a range of potentially valuable information, including:
Detailed vulnerability assessmentsUnresolved security holesDetails to access client networks remotely
Using this information, the attacker could have had everything they needed to commit fraudulent activity and access financial records. A recent report by TheCyberWire shows that ransomware attacks are on the rise, with many of them linked to the war between Russia and Ukraine.
For both the InfoSec community and everyday internet users, an advanced VPN is one of the best ways to help protect from such attacks, helping to cloak IP addresses and protect your online activity.
Has there been a cyberattack like this before?
This is far from the first attack of this kind, and there have been numerous high-profile incidents in the last 18-months alone that have targeted the InfoSec community. A North Korean hacking group named Lazarus has been credited with at least two major attacks during this time.
Back in January 2021, Lazarus targeted vulnerability researchers via fake social media accounts and by using zero-day web browser vulnerabilities. A zero-day vulnerability refers to a vulnerability that has been disclosed but has not yet been patched, giving hackers a brief window to take advantage.
Lazarus launched another attack in November 2021 that targeted a top global financial institution, the International Development Association (IDA). It involved a Trojan Virus (specifically the NukeSpeed remote access virus) of a pro reverse engineering application developed by the IDA.
Fake Windows Cobalt Strike — A Conclusion
This may be a lot of information to take in, especially if you are new to the cyber and information security world. Here’s a condensed and digestible summary:
On May 19th, 2022, InfoSec researchers identified two malicious files hosted on GitHub, disguised as fake Windows Proof-of-Concept files. The PoC files in question were the remote code execution vulnerabilities CVE-2022-24500 and CVE-2022-26809.The executable files launched what is known as a Cobalt Strike, allowing the attacker to create a persistent connection on the victim’s network. This would enable them to access a range of sensitive information.Once identified, the news of the Cobalt Strike was quickly reported on Twitter and hacking forums.GitHub responded by removing the files in question and then deleted the account that uploaded them, belonging to a user named ‘rkxxz.’If successful, the attacker might have gained remote access to the researcher’s network or even the cyber security companies they work for, allowing them to discover details regarding security vulnerabilities.It is unknown how many members of the InfoSec community may have downloaded the malicious files. However, testing will be conducted in a sandbox environment, reducing any potential impact.
Image Credit: Pixabay
Lee Li is a project manager and B2B copywriter with a decade of experience in the Chinese fintech startup space as a PM for TaoBao, MeitTuan, and DouYin (now TikTok).