CYR3CON™’s CyRating™ ranked CVE-2017-8759 as “Nearly Certain” of being exploited 2 months before the Cobalt group’s attack which occurred on November 20th. CYR3CON™ data showed hackers discussing CVE-2017-8759 in relation to Cobalt Strike, the pen testing tool that the Cobalt hacker group is named after, as early as Sept. 25. On November 20th, it was reported that the Cobalt group exploited this vulnerability and used Cobalt Strike in a spam attack against Russian banks.

CYR3CON™ rated CVE-2017-8759 as “nearly certain” to be exploited on Sept. 22 using its CyRating™ platform, which combines advanced machine learning with automatically mined deepweb/darkweb information. The rating takes hacker conversations on forums into consideration, and these forums showed users discussing this vulnerability and Cobalt Strike being used together.

CYR3CON™ saw hackers discussing CVE-2017-8759 beginning on Sept. 19, including sharing a link to an exploit sample. In these discussions, Cobalt Strike was mentioned in late September and again in early November.

As reported on Nov. 20, the Cobalt group exploited CVE-2017-8759 and used Cobalt Strike in order to phish Russian banks in attacks that lasted throughout June and July of this year.

Attackers must convince users to open malicious documents or applications in order to exploit this vulnerability. Windows servers 2008-2016 and systems versions 7 through 10 may be affected. Microsoft patched this CVE in September.

CYR3CON™ (Cyber Reconnaissance, Inc.) is a Next-Gen cyber threat intelligence firm which combines advanced machine learning with automatically mined deepweb/darkweb (D2web) information to provide predictive and actionable alerts which reduce cyber breaches. This automated approach largely removes the need for human analysts and allows clients to save time and money with an extremely scalable system. CYR3CON™ specializes in identifying cyber-threats before the breach occurs by collecting sensitive data from forums and websites within the D2web where malicious hackers organize, plan, sell and purchase malware and exploits.

To learn more, please contact your CYR3CON™ partner or visit us at CYR3CON™ today.