Cybercriminals used fake Windows Proof-of-Concept (PoC) exploits to infect security researchers with the Cobalt Strike backdoor. In this newly discovered series of attacks, the perpetrators leveraged recently patched Windows remote code execution flaws, as follows:
Infosec community members often analyze Microsoft’s fixes for known vulnerabilities and release PoC exploits on relevant platforms, such as GitHub. Security researchers often rely on these PoC exploits to develop defense mechanisms and urge sysadmins to patch vulnerable systems.
A threat actor published two PoC exploits on GitHub last week for the vulnerabilities above (CVE-2022-24500 and CVE-2022-26809). The perpetrator published the fake PoC exploits in repositories for a user named ‘rkxxz,’ as Bleeping Computer reported. GitHub removed the account and has taken down the exploits.
The fake PoCs garnered significant traction, with users quickly spreading the word about them on social media platforms (Twitter, Reddit) and even threat actors mentioning them on hacking forums.
However, it didn’t take long for security researchers to figure out their malicious nature. As it turns out, the proof-of-concept exploits were used to drop Cobalt Strike beacons on vulnerable devices. Cybersecurity expert reports have shown that CVE-2022-24500 PoC was a .NET application mimicking an IP address exploit that would open a backdoor on compromised systems.
Although Cobalt Strike is a legitimate pentesting utility, threat actors often use it to breach vulnerable systems and use lateral movement techniques to spread further on the organization’s network.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsDecember 24, 2024
December 19, 2024
November 14, 2024