Delaware, USA – November 23, 2017 – Attackers from the infamous Cobalt hacker group have changed their primary targets and techniques to install malicious payload on victims’ systems. The campaign against organizations in the CIS countries began this summer, adversaries used RTF which exploited CVE-2017-0199 to attack small and medium business. Researchers from Trend Micro discovered that they switched to employees of financial institutions at the end of August. In phishing emails, hackers appeared to be clients of these institutions or cybersecurity organizations. At the first attack wave they used malicious RTF, but in subsequent waves, attackers began exploiting CVE-2017-8759 (Security update is available now). In all cases, their final goal was to install the Cobalt Strike tool on compromised systems.
Cobalt hacker group has changed tactics in a short period, they continue to search for new and more efficient infection techniques, and the popular pentester tool Cobalt Strike allows them both to steal data from an infected system and to penetrate other systems using Mimikatz. You can detect attempts of credential dumpings using homey credentials and Mimikatz Defense Framework, which allows SIEM administrator to discover the use of such credentials on a compromised system.