Cybercriminals are deploying legit security tools far more than before, researchers conclude

Hackers are also turning to trusted services like Dropbox and Google Drive to host and distribute malware.
The FIN7 hacking group stole more than 15 million payment cards from businesses throughout the U.S., according to the FBI (Flickr/Vilson Frangaj).

Financially motivated cybercriminals are increasingly turning to Cobalt Stike, a legitimate tool that cybersecurity professionals use to test system security, researchers at Proofpoint found.

The cybersecurity firm declined to disclose specific numbers but reported a 161% increase in attacks using Cobalt Strike in 2020 compared to 2019. Proofpoint researchers have already seen tens of thousands of organizations targeted by the tool this year and expect those numbers to climb in 2021, according to the report the firm released Tuesday.

Threat groups are able to get ahold of the tool from pirated versions circulating the dark web, according to Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

Cobalt Strike is a popular tool for security testing because of the variety of attacks it enables. Most notable among them is Cobalt Strike Beacon, a malware that allows hackers to mask their activity and communications with a system once it’s infiltrated. Russian hackers behind the SolarWinds campaign reportedly used a customized version of the malware as part of a multi-pronged approach. The tool has also gained popularity with ransomware gangs as a way to install a second payload after they’ve infiltrated a system.


Cobalt Strike has been used by major cybercriminal groups including FIN7 and the Conti ransomware group, as well as Chinese and Russian state-sponsored attackers.

Proofpoint’s data suggests that use by cybercriminals has overtaken that of state-linked groups often known as “advanced persistent threats,”  showing just how mainstream it has gone. The uptick speaks to a long-standing tension in the cybersecurity community: Nearly any tool will be exploited by the bad guys eventually.

“Offensive security tools are not inherently evil, but it is worth examining how illegitimate use of the frameworks has proliferated among APT actors and cybercriminals alike,” DeGrippo wrote. “Financially motivated threat actors are now armed similarly to those financed and backed by various governments.”

Researchers at Proofpoint have also seen an increase in attacks using security testing tools such as Mythic, Meterpreter and the Veil Framework.

Cybercriminals also turning to trusted services like Dropbox, Google Drive, SendGrid and Constant Contact to host and distribute malware.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts