Malicious adaptations of widely used red teaming tools like Cobalt Strike and Metasploit have emerged as a significant disruptor in the cybersecurity landscape, becoming a prevalent strategy in malware campaigns, according to research conducted by threat-hunting firm Elastic. These conventional penetration testing tools have been weaponized to account for nearly half of all malware activities in 2024, marking a significant shift in the tactics employed by threat actors.
In a report released by Elastic Security Labs, researchers found that the most commonly observed malware families were correlated to offensive security tools (OSTs), with Cobalt Strike, Metasploit, Sliver, DONUTLOADER, and Meterpreter comprising about two-thirds of all malware instances detected last year. This trend highlights the increasing reliance of threat actors on these tools to carry out malicious activities and infiltrate enterprise environments.
One of the key findings of the Elastic research is the rampant misconfiguration of cloud environments by enterprises, resulting in heightened adversarial activities. Attackers are also transitioning from defense evasion techniques to direct credential access, indicating a shift in their strategies to bypass traditional security measures and gain unauthorized access to sensitive information.
Cobalt Strike and Metasploit were identified as the most prevalent OSTs in the Elastic research, accounting for 27% and 18% of the observed instances, respectively. Other tools such as Silver, DonutLoader, and Meterpreter were also commonly used by threat actors to exploit vulnerabilities in enterprise systems. The open-source nature of these tools further complicates the efforts of security teams to defend against them, as they become more accessible to malicious actors with minimal technical capabilities.
Devon Kerr, director at Elastic Security Labs, emphasized the attractiveness of these tools to adversaries due to their ease of deployment and effectiveness in compromising target systems. The widespread availability of Windows systems made them the primary target for malware deployment, followed by Linux hosts, while macOS devices were least affected by malicious activities.
Furthermore, the research highlighted the prevalence of malware disguised as legitimate software (trojans), constituting the majority of observed malware instances. Enterprises using popular cloud platforms like AWS, Google Cloud, and Microsoft Azure were found to fall short of secure configuration guidelines, with notable weaknesses in areas such as storage, networking, and identity and access management (IAM).
As threat actors evolve their tactics to bypass traditional security measures, it is imperative for organizations to enhance their cybersecurity capabilities and policies to effectively combat these malicious activities. The findings of the 2024 Elastic Global Threat Report underscore the importance of proactive defense strategies and the need for continuous monitoring and response to emerging cybersecurity threats. With adversaries increasingly focusing on credential access and legitimate credential gathering techniques, organizations must prioritize the protection of sensitive data and implement robust security measures to safeguard against potential breaches and intrusions.