Technical, Legal Action Taken to Prevent Abuse of Cobalt Strike, Microsoft Software

Microsoft, cybersecurity firm Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) have taken legal and technical action in an effort to prevent the abuse of the Cobalt Strike exploitation tool, as well as the abuse of Microsoft software. 

Cobalt Strike is a legitimate post-exploitation tool designed by Fortra for adversary simulation. While the company has been trying to prevent the abuse of its product, including by verifying the customers it’s sold to, threat actors have found ways to create cracked copies — typically older versions of the software — and abuse them in their malicious operations.

Cobalt Strike has been widely abused, including by profit-driven cybercriminals that run ransomware operations and state-sponsored threat groups associated with China, Russia, Iran and Vietnam.

Health-ISAC was involved in the operation alongside Microsoft and Fortra because Cobalt Strike has often been abused in ransomware attacks targeting the healthcare sector. The exploitation tool has been observed in 68 ransomware attacks that hit healthcare organizations across 19 countries.

In addition to the abuse of Cobalt Strike, Microsoft said its own SDKs and APIs have been leveraged by threat actors to develop and distribute malware.

The technical action taken against threat actors abusing Cobalt Strike and Microsoft software includes disrupting the infrastructure used by the attackers, such as domains and hosting servers. This was achieved through a court order issued on March 31 by a New York district court. 

ISPs and CERTs helped Microsoft and Fortra take down attacker infrastructure and block the hackers’ access to infected devices.

Malicious infrastructure used for these attacks was identified in countries such as the United States, Russia, and China. 

The lawsuit filed by Microsoft, Fortra and Health-ISAC names 16 John Does as plaintiffs. While their real identities are not known, the complaint reveals that they are members of the Conti, BlackCat and LockBit ransomware groups, initial access brokers, and members of the Evil Corp cybercrime group.  

“Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics. Today’s action also includes copyright claims against the malicious use of Microsoft and Fortra’s software code which are altered and abused for harm,” said Amy Hogan-Burney, GM of Microsoft’s Digital Crimes Unit. 

Microsoft and Fortra’s actions come just months after Google announced the release of Yara rules and a VirusTotal Collection to help detect malicious use of Cobalt Strike.

Related: Healthcare Organizations Warned of Royal Ransomware Attacks

Related: New Tool Made by Microsoft and Mitre Emulates Attacks on Machine Learning Systems

Related: Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op