Google Cloud Platform now automatically detects highly common ransomware dropper
Cobalt Strike is one of the most widely abused cyber security tools on the market and the latest measures aim to prevent cloud-based cyber attacks
Google Cloud has added new features for customers that protect against nearly all major versions of the widely abused CobaltStrike penetration testing tool.
Through the release of new open-sourced YARA rules, Google Cloud customers can now benefit from a wide selection of detection signatures for all versions of Cobalt Strike dating back to 2012.
Cobalt Strike is a legitimate, commercial penetration testing tool often used in red team cyber security training exercises.
It’s also widely cracked, shared, and abused by threat actors for intrusion and lateral movement in malicious real-world attacks.
The software suite comes pre-loaded with easy-to-execute hacking tools and is among the most widely used programs to conduct remote access attacks and drop malware payloads.
Google Cloud has added 165 detection signatures to scan more than 300 different Cobalt Strike binaries which are differentiated by unique JAR files, stagers, templates, and beacons.
“We are releasing to the community a set of open-source YARA rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions,” said Google Cloud in a blog post.
“Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyber attacks, we hope that by disrupting its use we can help protect organisations, their employees, and their customers around the globe.”
Cobalt Strike is used by a wide range of hackers and has been involved in ransomware attacks from the likes of Ryuk and BlackCat, and has been involved in the dropping of the Raspberry Robin worm which, in turn, has been used to drop LockBit and Cl0p ransomware.
Google Cloud’s new YARA rules will help many of its customers automatically detect the use of Cobalt Strike and prevent attacks in their early stages, ideally before damaging malware can be deployed.
Cloud, infrastructure, and management
GigaOm Radar for alternatives to Amazon S3v2.0Free Download
These are the latest measures taken by the cloud platform in its ongoing efforts to make the cloud more secure as cyber criminals continue to target the points of greatest value to organisations.
Google Cloud extended its partnership with cyber security company MITRE earlier this year to develop open-sourced queries that aid threat hunting in cloud environments.
Through the release of YARA rules, the initiative aimed to make it easier for customers to proactively look for security threats, replacing what Google Cloud said is usually a complex task that requires deep knowledge of diverse security signals.
The ‘big three’ public cloud provider has also fortified its Chronicle platform this year, first through the February acquisition of Siemplify and again in August with the general availability of new threat detection capabilities.
The company also drew attention to the growing issue of cryptomining in enterprise cloud environments earlier this year.
It said cryptomining was an increasingly popular, financially-motivated attack on cloud customers and in more than half (58%) of cases the malware used was installed within 22 seconds of compromising the platform.
Accelerating healthcare transformation through patient-centred medtech solutions
Seize the digital transformation opportunities to streamline patient care and optimise patient outcomesFree Download
Big payoffs from big bets in AI-powered automation
Automation disruptors realise 1.5 x higher revenue growthFree Download
Hyperscaler cloud service providers top ten
Why it's important for companies to consider hyperscaler cloud service providers, and why they matterFree Download
Strategic app modernisation drives digital transformation
Address business needs both now and in the futureFree Download