Cobalt Strike Could Strike Windows Defender Secured Enterprises

Enterprises using both VMWare and Microsoft Windows Defender need to be wary of Cobalt Strikeattack. Apparently, threat actors have managed to find out how to deploy Cobalt Strike payloads using Windows Defender command-line tools.

A threat actor, associated with the Lockbit 3.0 ransomware group was observed by security group SentinelOne to have done so after cracking through a VMWare Horizon server.

The VMWare server was unpatched against the Log4j vulnerability, giving the hacker access. Another thing administrators should worry about.

“The initial target compromise happened via the Log4j vulnerability against an unpatched VMWare Horizon Server. The attackers modified the Blast Secure Gateway component of the application installing a web shell using PowerShell code…

Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike,”

–SentinelOne researchers

Why PowerShell?

Avoiding detection is crucial for intruders to maintain their presence in a compromised system for as long as possible to do as much damage as possible. This is done by using legitimate software functions and tools to introduce payloads in order to avoid detection by security software.

The attacker in this case used the Microsoft Defender Antivirus command-line tool MpCmdRun.exe through PowerShell to deploy Cobalt Strike from a remote server. It’s a not uncommon technique called LotL or Living off the Land.

According to SentinelOne, it seems that this is becoming a trend among hackers to avoid or minimize detection from analysis and debugging efforts of Security companies. Aside from PowerShell, a similar incident was recorded except the intruder used VMWare’s VMwareXferlogs tool to deploy Cobalt Strike.

What spurred SentinelOne’s research is the prevalence of stolen access codes from managed service providers (MSPs) sold by initial access brokers (IABs) to fellow threat actors over the internet. These are quite dangerous and far reaching as many enterprises make use of MSPs for infrastructure management and security. Compromised MSPs can result in many enterprise breaches and this technique by threat actors could be devastating.

Like the literal HIV virus, those in charge of security are compromised and become vectors of the disease. Cybersecurity experts from the US, UK, New Zealand, Canada, and Australia have already warned companies and ISPs against this threat.

“MSPs remain an attractive supply chain target for attackers, particularly IABs,”

–Harlan Carvey, researcher, Huntress

“…tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for. Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls.”   

–SentinelOne researchers

This means that enterprise managers need to confer with their managed service providers if they’re aware of this threat and have them run the proper system scans on enterprise machines as well as themselves; and that tools with security exceptions need to be reviewed and exempted from security only when required.