StrikeShark Campaign Deploys Cobalt Strike via SharkLoader Loader Across Global Targets
What Happened – Researchers identified a new threat‑actor campaign, dubbed StrikeShark, that uses a custom loader called SharkLoader to drop a Cobalt Strike beacon on compromised hosts. The initial foothold is gained by exploiting public‑facing applications such as Microsoft Exchange (e.g., CVE‑2021‑26855 ProxyLogon), SharePoint and Openfire, as well as by delivering malicious dropper binaries. Infections have been observed in diplomatic, government and software‑development environments across Indonesia, Taiwan, Hong Kong, the Middle East, South America and Europe.
Why It Matters for Compliance & Audit Readiness
- The attack exploits unpatched internet‑facing services – a classic control gap that SOC 2 CC6.1 (Logical Access) and CC7.1 (System Operations) require you to remediate and continuously monitor.
- Continuous evidence of patch‑management, vulnerability scanning and privileged‑access reviews is essential to demonstrate due diligence during a SOC 2 audit.
- Mapping the “exploit‑to‑beacon” chain to your control framework provides audit‑ready artifacts (scan reports, remediation tickets, log‑collection) that prove the effectiveness of your security controls.
Who Is Affected – Government & diplomatic bodies, software development firms, SaaS providers, and any organization exposing Exchange, SharePoint or similar web services to the internet.
Recommended Actions –
- Verify that all Exchange, SharePoint and Openfire instances are patched for known CVEs (e.g., CVE‑2021‑26855) and that a vulnerability‑management program is in place.
- Enable continuous monitoring of inbound traffic to public‑facing services and integrate findings into your SOC 2 control evidence repository.
- Review and tighten privileged‑access policies; enforce MFA and least‑privilege for accounts that can modify web‑application configurations.
Source: Kaspersky SecureList – StrikeShark Campaign
Technical Notes – The loader leverages a “PerfectDLL Hijacking” technique to inject malicious DLLs, registers a VEH (Vectored Exception Handler) for stealth, and ultimately spawns a Cobalt Strike beacon. Primary attack vectors are VULNERABILITY_EXPLOIT of internet‑facing applications; no specific data exfiltration was disclosed. Source: same as above