CyberSecurityBoard
Sponsor Register Login

Exploiting a Windows Device Through an Alternative to Cobalt Strike Called Sliver

Security analysts at AhnLab Security Emergency Response Center have detected a new hacking campaign that takes advantage of Windows BYOVD attacks to disable security software and deploy the post-exploitation toolkit Sliver. Sliver is an alternative to Cobalt Strike created by Bishop Fox and has been used by malicious actors for some time. It can be used to open reverse shells on compromised devices, install payloads, and execute commands with kernel-level privileges. The campaign was targeting two 2022 vulnerabilities in Sunlogin, a remote control software developed by Chinese developers. The attackers used PoC exploits available on the internet to exploit these vulnerabilities. The malicious code was loaded into memory and a portable executable was decoded. Mhyprot2DrvControl, an open-source tool, was used to gain access to the Windows kernel privileges and terminate security processes. Powercat was then downloaded from an external source and a reverse shell was created to connect to the C2 server. In some cases, the Sliver implant was installed on the system. Microsoft has recommended a few mitigations to protect against these attacks.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 08 Feb 2023 07:43:02 +0000


Cyber News related to Exploiting a Windows Device Through an Alternative to Cobalt Strike Called Sliver

Hackers Gaining Unauthorized Access to Windows Devices Through Silver and BYOVD Exploits - Last summer, cybercriminals began using Sliver as an alternative to Cobalt Strike, using it for monitoring networks, executing commands, loading reflective DLLs, spawning sessions, and manipulating processes. Recently, attacks have been observed ...
2 years ago Heimdalsecurity.com
PyPi package backdoors Macs using the Sliver pen-testing suite - A new package mimicked the popular 'requests' library on the Python Package Index to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate networks. Discovered by Phylum, the campaign involves ...
11 months ago Bleepingcomputer.com
Malicious use of Cobalt Strike down 80% after crackdown, Fortra says | The Record from Recorded Future News - Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC) and Fortra, which bought Cobalt Strike in 2020, have worked since 2023 to address the longstanding issue of pirated and unlicensed versions of the software being downloaded ...
1 month ago Therecord.media
International Operation Takes Down 593 Malicious Cobalt Strike Servers - Law enforcement agencies from around the world have successfully shut down 593 rogue servers running unauthorized versions of Cobalt Strike, a tool often misused by cybercriminals. Cobalt Strike, developed in 2012 by Raphael Mudge and now owned by ...
9 months ago Cybersecuritynews.com
Cybercriminals Take Advantage of Weaknesses in Sunlogin to Install Sliver Command and Control System - Cybercriminals are taking advantage of known weaknesses in Sunlogin software to deploy the Sliver command-and-control framework for post-exploitation activities. This was discovered by AhnLab Security Emergency response Center, which found that ...
2 years ago Thehackernews.com
Identifying Misuse of Cobalt Strike Systems - Google Cloud recently identified 34 cracked versions of Cobalt Strike and released YARA Rules to detect them. The goal is to make it harder for malicious actors to abuse the tool. IronNet believes that a proactive approach to Cobalt Strike server ...
2 years ago Ironnet.com
Exploiting a Windows Device Through an Alternative to Cobalt Strike Called Sliver - Security analysts at AhnLab Security Emergency Response Center have detected a new hacking campaign that takes advantage of Windows BYOVD attacks to disable security software and deploy the post-exploitation toolkit Sliver. Sliver is an alternative ...
2 years ago Cybersecuritynews.com
Sliver Framework Customized to Boost Evasion & Bypass EDR Detections - When tested against Elastic EDR and Windows Defender, these customized Sliver implants successfully evaded detection both on disk and in memory, demonstrating how minor modifications to open-source offensive tools can significantly challenge modern ...
4 weeks ago Cybersecuritynews.com Cloak
Europol Announces Crackdown on Cobalt Strike Servers Used by Cybercriminals - European law enforcement agency Europol on Wednesday announced a global crackdown against the use of legitimate security tools by cybercriminals, including the takedown of nearly 600 Cobalt Strike servers linked to criminal activity. The agency said ...
9 months ago Securityweek.com
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over - Takedown of malware infrastructure by law enforcement has proven to have an impact, albeit limited, on cybercriminal activity, according to threat intelligence provider Recorded Future. The Emotet takedown, led by Europol and Eurojust in 2021. The ...
1 year ago Infosecurity-magazine.com
Hackers Abuse Cobalt Strike, SQLMap & Other Tools to Target Organizations' Web Applications - These attacks specifically utilize Cobalt Strike, a legitimate adversary simulation tool designed for security professionals, and SQLMap, an open-source utility that automates the detection and exploitation of SQL injection vulnerabilities. The ...
1 month ago Cybersecuritynews.com
SQL Brute Force leads to Bluesky Ransomware - In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware. While other reports point to malware ...
1 year ago Thedfirreport.com CVE-2023-27350 BianLian
Threat Actors Turn To SLIVER As Open Source Malware Toolkit - A new open source malware toolkit, called SLIVER, is being used by threat actors to create and spread malicious programs. SLIVER is a modularized, open-source malware framework that allows users to easily build and deploy malicious Visual Basic ...
2 years ago Thehackernews.com
Illegal Access to Windows Computers Through Silver and Bring Your Own Device Vulnerabilities - A recent hacking campaign has been exploiting vulnerabilities in Sunlogin, a remote-control software, to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software. ...
2 years ago Bleepingcomputer.com
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
1 year ago Techrepublic.com
Water Curupira Hackers Launch Pikabot Malware Attack Windows - Pikabot is a loader malware that is active in spam campaigns and has been used by the threat group Water Curupira, which has been paused from June to September 2023 after Qakbot's takedown. The surge in Pikabot phishing campaigns was noted recently ...
1 year ago Gbhackers.com Black Basta
Sliver C2 Server Vulnerability Let Attackers Open a TCP connection to Read Traffic - A critical server-side request forgery (SSRF) vulnerability (CVE-2025-27090) has been identified in the Sliver C2 framework’s teamserver implementation, enabling attackers to establish unauthorized TCP connections through vulnerable servers. ...
2 months ago Cybersecuritynews.com CVE-2025-27090
CVE-2022-39197 - An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike ...
2 years ago
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor's Activity - By analyzing tools, logs and artifacts left open to the internet, we were able to profile the threat actor and their victims. After analyzing the artifacts we can conclude with moderate confidence that the majority of the threat actor activity ...
1 year ago Thedfirreport.com
New Hacker Group Uses SQL Injection to Hack Companies - A new threat actor has been discovered to be using SQL injection attacks to gain unauthorized access to organizations in the APAC region. Among the 20, the threat actor successfully infiltrated six organizations with the legacy SQL injection attack. ...
1 year ago Cybersecuritynews.com
Researchers Uncovered SuperShell Payloads & Multiple Tools From Hacker’s Open Directories - The Cobalt Strike beacon, found in a file named ‘test’, utilized different infrastructure than the SuperShell components, connecting to a server disguised with a certificate claiming to represent “jquery.com” with organization ...
1 day ago Cybersecuritynews.com
Threat Actors Exploited PHP-CGI RCE Vulnerability To Attack Windows Machines - The researchers also discovered that the attackers had access to a pre-configured installer script on their C2 server that could deploy a full suite of adversarial tools and frameworks hosted on an Alibaba cloud container Registry, indicating ...
1 month ago Cybersecuritynews.com CVE-2024-4577
Microsoft releases first Windows Server 2025 preview build - Microsoft has released Windows Server Insider Preview 26040, the first Windows Server 2025 build for admins enrolled in its Windows Insider program. This build is the first pushed for the next Windows Server Long-Term Servicing Channel Preview, which ...
1 year ago Bleepingcomputer.com
Counter-Strike 2 HTML injection bug exposes players' IP addresses - Valve has reportedly fixed an HTML injection flaw in Counter-Strike 2 that was heavily abused today to inject images into games and obtain other players' IP addresses. While initially thought to be a more severe Cross Site Scripting flaw, which ...
1 year ago Bleepingcomputer.com
CMDB: Device Visibility for Bank Security - Let us see how a device visibility and control software functions to automatically alert when a rogue or unauthorized device enters your network. Device visibility and control is a cybersecurity concept that refers to the ability to discover, ...
1 year ago Feeds.dzone.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)