Microsoft, Fortra, Health-ISAC Crack Down On Cobalt Strike Abuse

Microsoft’s Digital Crimes Unit (DCU), along with cybersecurity software company Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), are working together to disrupt illegal, legacy copies of Cobalt Strike and abused Microsoft software.

“The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world,” Microsoft stated.

“These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments, just to name a few.”

To combat the abuse of these tools, the US District Court for the Eastern District of New York issued a court order allowing Microsoft, Fortra, and Health-ISAC to disrupt the infrastructure cybercriminals use to facilitate attacks.

“Doing so enables us to notify relevant internet service providers (ISPs) and computer emergency readiness teams (CERTs) who assist in taking the infrastructure offline, effectively severing the connection between criminal operators and infected victim computers,” Microsoft added.

Since its creation in 2012, cybercriminals have been abusing Cobalt Strike, a legitimate remote access tool created to defend against cyberattacks. The widespread abuse led the Health Sector Cybersecurity Coordination Center (HC3) to issue a brief about Cobalt Strike risks in November 2021.

Abuse of legitimate tools by cybercriminals is not uncommon – threat actors have been known to manipulate Mimikatz, PowerShell, and Cobalt Strike against the infrastructure that these tools were designed to protect.

Illegal, legacy copies of Cobalt Strike, referred to by Microsoft as “cracked,” have been used in destructive attacks against the Irish Health Service Executive and the Government of Costa Rica.

“This is a change in the way DCU has worked in the past – the scope is greater, and the operation is more complex,” Microsoft continued. “Instead of disrupting the command and control of a malware family, this time, we are working with Fortra to remove illegal, legacy copies of Cobalt Strike so they can no longer be used by cybercriminals.”

Additionally, Microsoft is taking legal action to disrupt nation-state operations, including filing copyright claims against the malicious use of Microsoft and Fortra’s software code. Despite Fortra’s efforts to prevent the abuse of its software, cybercriminals have been increasingly stealing older versions and creating cracked copies in order to deploy malware.

“Microsoft, Fortra and Health-ISAC remain relentless in our efforts to improve the security of the ecosystem, and we are collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF) and Europol’s European Cybercrime Centre (EC3) on this case,” Microsoft explained.

“While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done. Through ongoing legal and technical action, Microsoft, Fortra and Health-ISAC, along with our partners, will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike.”