Cobalt Strike, a legitimate tool used by security researchers for penetration testing, has been found in the wild supporting Linux-based attacks.
Though intended to help find and close vulnerabilities by simulating cyberattacks, Cobalt Strike is exploitable by criminals and has seen 161% more use year-over-year for such purposes. The tool has been used to target tens of thousands of organizations and was notably used in the SolarWinds attack.
Until recently, one weakness of Cobalt Strike from cybercriminals' perspective was that it only worked on Windows. As of August, a new Linux-friendly implementation named Vermilion Strike can targets 90% of all cloud servers.
Vermilion Strike and Cobalt Strike both follow predictable behaviors. Because of that, their malicious use is easily identified and stopped by Acronis Cyber Protect's advanced behavioral detection engine.