Malicious adaptations of popular red teaming tools like Cobalt Strike and Metasploit are causing substantial disruption, emerging as a dominant strategy in malware campaigns.
According to research by threat-hunting firm Elastic, known for its search-powered solutions, these two conventional penetration testing tools were weaponized to account for almost half of all malware activities in 2024.
“The most commonly seen malware families correlated primarily to offensive security tools (OSTs) — a significant increase since last year,” said researchers from Elastic Security Labs in the report. “Cobalt Strike, Metasploit, Sliver, DONUTLOADER, and Meterpreter represent about two-thirds of all malware we saw last year.”
Other key findings of the Elastic research included enterprises excessively misconfiguring cloud environments leading to heightened adversarial activities, and attackers starting to move on from defense evasion to direct credential access.
A good defense becomes the best offense
Cobalt Strike (27%) and Metasploit (18%) were the two most common OSTs observed in the Elastic research. Other such tools included Silver (9%), DonutLoader (7%), and Meterpreter (5%).
The ability to utilize a tool specifically designed to identify vulnerabilities in enterprise environments presents a significant advantage for adversaries, the researchers pointed out. Moreover, making such a tool open source could exacerbate challenges for enterprise security teams by increasing its accessibility to malicious actors.
“Cobalt Strike and Metasploit have both played a role in threat activity for quite some time, Metasploit being open (source),” said Devon Kerr, director at Elastic Security Labs. “But we also see new flavors of open-source malware available to the folks. Silver, in particular, made a really big showing this year.”
Kerr further explained that these tools are particularly attractive to adversaries with minimal technical capabilities. “They can go deploy these tools, and in some environments, they’ll work automatically, and in others, with some modification, they’ll be successful,” Kerr said.
Furthermore, it complicates the process of accurately attributing the origin of these malicious activities, Kerr added.
Additionally, the research noted most of the malware were deployed on Windows (66%) systems owing to the operating system’s widespread availability, followed by Linux hosts (32%). macOS was the least intruded with under 2% malware observations.
Malware masquerading as legitimate software (trojans) was the most observed (82%) malware category.
Enterprises failing due diligence
A large number of enterprises using popular cloud environments failed CIS guidelines on secure configuration. The overall posture scores for AWS, Google Cloud, and Microsoft users were placed at 57, 47, and 45 out of 100.
“Breaking down the failed posture checks for AWS, we observed that 30% of all failed posture checks relate to S3,” the researchers said, adding that failed posture checks are the instances where the enterprise failed a stipulated security posture. Networking (23%) and IAM (15.5%) were other weaker areas for AWS.
Storage accounts (47%) and networking (15%) remain concerning areas for Microsoft Azure customers as they failed the most posture checks performed in those areas. Google Cloud customers have gaping BigQuery (44%), Virtual Machines (29%), and networking (15%) workflows, the report noted.
Another sprouting trend identified in the research was threat actors moving from defense evasion practices, as they are presumably being countered well, to picking up legitimate credentials by brute force or otherwise for further infiltration.
“The discoveries in the 2024 Elastic Global Threat Report reinforce the behavior we continue to witness: defender technologies are working. Our research shows a 6% decrease in Defense Evasion from last year,” said Jake King, head of threat and security intelligence at Elastic. “Adversaries are more focused on abusing security tools and investing in legitimate credential gathering to act on their objectives, which reinforces the need for organizations to have well-tuned security capabilities and policies.”
Twenty-three percent of all malicious cloud behavior was attributed to credential access, primarily in Microsoft Azure, with 35% of them done through brute force techniques, 12% up from last year, like credential stuffing, password spraying, and dictionary attacks, the report added.
