To combat the widespread exploitation of Cobalt Strike abuse, a legitimate testing tool that attackers have used to devastate the healthcare sector, Microsoft and two partner organizations have been given a court order.
In a project unveiled on Thursday, the business’s Digital Crimes Unit (DCU) is collaborating with software developer Fortra, the non-profit Health Information Sharing and Analysis Center (Health-ISAC), misused Microsoft software, which cybercriminals have exploited to spread malware, including ransomware, to “disrupt cracked, older copies of Cobalt Strike.”
Red teams use Fortra’s Cobalt Strike, an adversary simulator and penetration testing application, to find vulnerabilities and formulate solutions. Nevertheless, earlier iterations of the program have been frequently abused by hackers. In a ruling published on March 31, the U.S. District Court of New York authorized the three parties to pursue the “malicious infrastructure”—such as command-and-control servers—used in attacks.
By doing this, Microsoft was able to alert pertinent internet service providers (ISPs) and computer emergency readiness teams (CERTs), which helped take the infrastructure offline and break the link between malicious actors and infected victim machines. The program involves copyright claims for using software code “altered and abused for damage,” the business continued.
According to Amy Hogan-Burney, general manager of cybersecurity policy and protection at Microsoft, ” attacks cybercriminals’ distribution channels “is one of the best ways to disrupt the criminal ecosystem, forcing criminals to reevaluate their tactics and decrease their ability to profit from their attacks.”
Microsoft and its partners have followed infrastructure globally using “detection, analysis, telemetry, and reverse engineering.” They have also seen nation-state entities in Russia, China, Vietnam, and Iran utilizing cracked versions of Cobalt Strike abuse.
The software has allegedly been utilized in over 68 ransomware attacks against the healthcare industry across more than 19 nations. A white paper detailing the tool and how it targets healthcare companies was published in 2021 by the Department of Health and Human Services.
The Conti ransomware group infiltrated the Costa Rican government using a cracked program version. They said that Microsoft and its collaborators collaborate with Europol’s European Cybercrime Centre (EC3), the National Cyber Investigative Joint Task Force (NCIJTF), and the FBI’s Cyber Division.
According to Bob Erdman, associate vice president of development at Fortra, the company has been working “for quite some time” to stop cybercriminals from exploiting its products. “Fortra invests a significant amount of money on researchers, infrastructure, and legal processes to combat these risks and develop the product in every iteration to make it more difficult for hostile actors to abuse,” he said.
DMCA [Digital Millennium Copyright Act] violation notifications, and Fortra has sent out other legal measures in the hundreds. Although the appropriate authorities have already used criminal enforcement, this new move enables Fortra further to increase the disruption through civil enforcement alongside our partners.
Conclusion
Microsoft, Fortra, and Health-ISAC have taken legal and technical measures to prevent the abuse of the Cobalt Strike abuse exploitation tool and Microsoft products. Fortra’s adversary simulation program Cobalt Strike is legal post-exploitation. Threat actors have cracked older versions of the program and used them in their harmful operations, despite the company’s efforts to avoid exploitation. Ransomware cybercriminals and state-sponsored threat groups from China, Russia, Iran, and Vietnam have abused Cobalt Strike. Health-ISAC, Microsoft, and Fortran have participated since Cobalt Strike has been utilized in healthcare ransomware attacks. 68 ransomware attacks on healthcare organizations in 19 countries used the exploitation technique.
Threat actors have used Microsoft’s SDKs and APIs to create and distribute malware in addition to Cobalt Strike. Threat actors misusing Cobalt Strike abuse and Microsoft technologies have disrupted their domains and hosting servers. A March 31 New York district court order accomplished this. ISPs and CERTs helped Microsoft and Fortra disable attacker infrastructure and block hackers from compromised devices.
These attacks employed US, Russian, and Chinese infrastructure. Microsoft, Fortra, and Health-ISAC sued 16 John Does. The complaint states they are members of Conti, BlackCat, LockBit, Evil Corp, and early access brokers. Disrupting cracked legacy copies of Cobalt Strike abuse will make it more difficult for criminals to profit from them and will slow down their use in cyberattacks. Amy Hogan-Burney, General Manager of Microsoft’s Digital Crimes Division, said, “Today’s case also added copyright claim issues against the malicious use of Microsoft and Fortra’s software code that is altered and exploited for harm.”
