Cobalt Strike abuse drops 80% following takedown campaign

Cobalt Strike abuse in the wild has dropped significantly in the past two years, with the number of unauthorized copies of Cobalt Strike observed in the wild decreasing by 80% over the past two years, according to Fortra, which acquired Cobalt Strike in 2020.

The blog post, authored by Bob Erdman, associate vice president of research and development at Fortra, and Peter Ceelen, product owner at Fortra, highlighted the second anniversary of an ongoing partnership between Fortra, Microsoft's Digital Crimes Unit, and the Health Information Sharing and Analysis Center, or H-ISAC.

Fortra, Microsoft and H-ISAC joined forces in 2023 to crack down on illegal, legacy copies of Cobalt Strike and abused Microsoft software. Cybercriminals have been abusing illegal, "cracked" copies of Cobalt Strike since its debut in 2012.

The legitimate remote access tool was created to defend against cyberattacks, but cybercriminals instead used it to perpetrate destructive attacks against organizations, including several healthcare organizations.

In addition to a reduction in unauthorized copies of Cobalt Strike, the partnership allowed these organizations to seize and sinkhole more than 200 malicious domains, and reduce the average dwell time, or time between initial detection and takedown, to less than one week in the U.S. and less than two weeks worldwide.

Fortra also took part in Operation Morpheus, a multi-year investigation led by the UK's National Crime Agency. These efforts resulted in 690 IP addresses associated with criminal activity being flagged to online service providers, most of which were successfully taken down.

Fortra said it would continue to send takedown notices to online service providers and actively participate in tracking unauthorized copies and squashing attempts to abuse the tool.

"By proactively sharing our disruption techniques through conference talks and webinars, we have provided the broader security community with a proven roadmap that other solution providers can follow to engage in public/private disruption partnerships when faced with similar challenges," the post stated.

"Collaboration is essential in advancing cybersecurity overall. This not only strengthens the collective defense against cybercriminals but also ensures that legitimate security tools can continue to be used responsibly and effectively to protect organizations worldwide."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.