IT security firm, Recorded Future, recently reported having identified over 10,000 command and control (C&C) servers in 2020, directing over 80 varieties of malware. Interestingly, more than 25 percent of C&C attacks have utilized two specific security toolkits, Cobalt Strike and Metasploit.
IT security specialists use these two security tools to conduct penetration tests. They mimic the actions of a cybercriminal trying to break into a network, and thus help IT staff determine the strength of its defenses. However, cybercriminals quickly realized that they can use these offensive security tools to conceal real malware and access a network disguised as a typical penetration test.
On investigation into this type of attack, experts at Recorded Future found that a C&C server has an average lifespan of about 55 days. Also, IT departments who are looking only for "suspicious" hosting providers can leave themselves exposed, as the report found the majority of C&C servers on the systems of respected web hosting providers based in the U.S. (Amazon, Digital Ocean, and Choopa).
The intentions behind the malware attacks monitored by the IT firm include both financial gain and state-sponsored espionage. Catalin Cimpanu "Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020" www.zdnet.com (Jan. 07, 2021).