Top 3 Tools Used by Cyberattackers in 2020 and Early 2021

Top 3 Tools Used by Cyberattackers in 2020 and Early 2021

Three legitimate pentesting tools – PowerShell, Cobalt Strike, and PsExec – topped the list of tools used by cyberattackers in breaking into victims’ networks in 2020 and early 2021, according to Sophos’ report based from frontline threat hunters and incident responders.

In the report “The Active Adversary Playbook 2021,” Sophos found that PowerShell, followed by Cobalt Strike, and PsExec are the top 3 tools used by cyberattackers in 2020 and early 2021.

PowerShell, Cobalt Strike, and PsExec are legitimate tools used by IT administrators and security professionals for penetration testing, also known as pentesting – an authorized simulated cyberattack against an organization’s computer system to examine exploitable vulnerabilities. Threat actors, however, have been using these same pentesting tools to break into victims’ networks.

According to Sophos report, correlations emerge among the top 3 tools found in victims’ networks. The report added that when PowerShell is used in an attack, Cobalt Strike was seen in 58% of cases, and PsExec in 49% of cases; Cobalt Strike and PsExec were used together in 27% of attacks; and the combination of Cobalt Strike, PowerShell, and PsExec occurs in 12% of all attacks.

PowerShell

PowerShell is a task-based command-line shell and scripting language designed for system administration in the Windows operating system. Attackers use PowerShell to conduct a number of malicious activities, including executing malicious code, creating new tasks on remote machines, identifying configuration settings, pulling Active Directory information from the target environment, evading defenses, exfiltrating data, and executing other commands.

The malicious software called “Emotet” has used PowerShell to retrieve the malicious payload and download additional resources like Mimikatz – ranked fourth in the tools used by cyberattackers in 2020 and early 2021 in the Sophos report. Mimikatz is capable of obtaining plaintext Windows account logins and passwords.

PsExec

PsExec is a free Microsoft tool that is used by IT administrators to execute a program on another computer. This tool has been used by attackers to download or upload a file over a network share.

Cobalt Strike

Cobalt Strike is a commercially available pentesting tool that’s marketed as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors."

This commercial pentesting tool was developed by researcher Raphael Mudge in 2012. This tool was recently acquired by HelpSystems. In 2020, the source code of Cobalt Strike version 4.0 was leaked to the public. Adversaries often use the purchased and pirated/cracked versions of Cobalt Strike.

This tool is capable of executing a payload on a remote host with PowerShell and using PsExec to execute a payload on a remote host. Cobalt Strike’s Beacon is used to perform actions such as collecting information on process details, reaching out to the command-and-control server on an arbitrary and random interval, breaking large data sets into smaller chunks for exfiltration, and capturing screenshots.

Real-World Examples

The tools PowerShell and Cobalt Strike were used in the recently unraveled supply chain attack on SolarWinds.

In the SolarWinds supply chain attack, attackers compromised the code update of SolarWinds’s product Orion, which gave the attackers the opportunity to attack customers that applied the compromised SolarWinds Orion update. The SolarWinds supply chain attack victims include cybersecurity firm FireEye and Microsoft.

In the blog post "Raindrop: New Malware Discovered in SolarWinds Investigation," security researchers at Symantec reported that the malicious software (malware) called "Raindrop" enabled the delivery of Cobalt Strike into the victims’ networks. Security researchers at Symantec reported that in the victim’s computer where the Raindrop malware was found, it was observed that several days later, PowerShell commands were executed on that computer, attempting to execute further instances of Raindrop malware on additional computers in the organization.

The top 3 tools, PowerShell, Cobalt Strike, and PsExec, used by cyberattackers in 2020 and early 2021 were all used by the group behind the ransomware called “DoppelPaymer.” Similar to modern-day ransomware, DoppelPaymer encrypts victims’ files, locking these victims out from accessing their files, and demands from victims to pay ransom in exchange for the decryption tool that would unlock the encrypted files.

Similar to other modern ransomware, the group behind DoppelPaymer threatens victims with the publication of their stolen files on the data leak site as part of the ransomware’s extortion scheme. In DoppelPaymer ransomware, PowerShell, Cobalt Strike, PsExec, and Mimikatz – ranked fourth in the tools used by cyberattackers in 2020 and early 2021 in the Sophos report – were used to stealing credentials, moving laterally inside the network, and executing different commands.

In the blog post "Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk," Microsoft 365 Defender Threat Intelligence Team said that defenders should pay attention to malicious “PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities.”

“Security teams can defend their organization by monitoring and investigating suspicious activity,” Sophos in the “The Active Adversary Playbook 2021” said. “The difference between benign and malicious is not always easy to spot. Technology in any environment, whether cyber or physical, can do a great deal but it is not enough by itself. Human experience and the ability to respond are a vital part of any security solution.”