I was recently contacted by someone via email saying they had installed a Cobalt Strike Beacon on my devices and is threatening to release a bunch of information to my email contacts. I have done an Etrecheck scan and cannot interpret anything of importance. Is this a possibility with the security that Apple provides for their OSs? Thanks!
MacBook Pro 13″, macOS 12.2
I’m not certain there is a reliable means to spot a Cobalt Strike implant, save at the network level and that’s probably impractical here.
That written, I suspect this is phishing, solely because the sender didn’t offer proof of the implant in the mail.
And if the sender indicated they attacked iPhone and iPad, Cobalt Strike implants aren’t available for those—macOS, Windows, and Linux only.
I would change your Apple ID, as that might have n]been exposed, and if you unfortunately re-used that password could well have been exposed, and would enable two-factor authentication if that’s not already in use. Cobalt Strike sounds more impressive than password-reuse-got-caught-in-a-breach-somewhere, after all.
I’m not certain there is a reliable means to spot a Cobalt Strike implant, save at the network level and that’s probably impractical here.
That written, I suspect this is phishing, solely because the sender didn’t offer proof of the implant in the mail.
And if the sender indicated they attacked iPhone and iPad, Cobalt Strike implants aren’t available for those—macOS, Windows, and Linux only.
I would change your Apple ID, as that might have n]been exposed, and if you unfortunately re-used that password could well have been exposed, and would enable two-factor authentication if that’s not already in use. Cobalt Strike sounds more impressive than password-reuse-got-caught-in-a-breach-somewhere, after all.
MediOgre wrote:
I was recently contacted by someone via email saying they had installed a Cobalt Strike Beacon on my devices and is threatening to release a bunch of information to my email contacts. I have done an Etrecheck scan and cannot interpret anything of importance. Is this a possibility with the security that Apple provides for their OSs? Thanks!
Worth reading these links...
Recognize and avoid phishing messages, phony support calls, and other scams
Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support
Effective defenses against malware and other threats - Apple ...
Effective defenses against malware and ot… - Apple Community
I googled "Cobalt Strike Phishing email" and this was from the first link that popped up:
"Spear Phishing
Now that you have an understanding of client-side attacks, let’s talk about how to get the attack to the user. The most common way into an organization’s network is through spear phishing. Cobalt Strike's spear phishing tool allows you to send pixel perfect spear phishing messages using an arbitrary message as a template."
No one remote knows what you installed on your Mac. The email was a scam attempt. Do not provide them any personal or financial information.
Any such email, text or message is a lie. Period.
Delete and ignore.
It's a scam. Ignore it.
Thanks for everyone's replies! I figure it is a phishing email. The MacOS beacon seems to be a relatively new beacon and that is what concerns me. I have chatted with my tech guy today and he says that he has received the same email multiple times in the past.
Cobalt Strike Phishing email
