Fortra Health and IAC join forces to eliminate illicit Cobalt Strike tools. Combating cyber threats with a united front. Fortra takes significant steps to prevent abuse of its Cobalt Strike software for post-exploitation adversary simulation, including stringent customer vetting. But criminal gangs sometimes steal older cracked versions of the tool to gain backdoor access and deploy malware, including ransomware like Conti and LockBit.
Now Microsoft and Fortra, with the support of Health-ISAC, have taken a legal and technical approach to disrupting their illegal use by obtaining a court order to redirect internet traffic into sinkhole servers.
Microsoft and Fortra Take Legal and Technical Action to Disrupt Cracked Legacy Copies of Cobalt Strike
Almost all ransomware attacks targeting healthcare organizations have had one thing in common: hackers used unlicensed versions of penetration testing software Cobalt Strike to breach the target systems. Hackers embraced Cobalt Strike as a key tool in their attack arsenal because it allows them to conduct reconnaissance, steal data and deploy malware. Infections by ransomware families linked to and deployed with Cobalt Strike cost the health sector millions of dollars in remediation costs, interrupted patient care, canceled surgeries and delays in diagnostic, imaging and laboratory tests. Hackers using unlicensed Cobalt Strike aren’t just criminal gangs, Microsoft says — they include groups of hackers working for nation-states like Russia, China, Vietnam and Iran.
While Fortra has taken steps to slow the use of its software by criminals, including stringent customer vetting, it’s difficult to control what criminals do with older cracked copies of Cobalt Strike and other security tools that have been stolen and altered to gain backdoor access to systems or deliver malware. For this reason, Microsoft’s Digital Crimes Unit (DCU) teamed up with Fortra and Health Information Sharing and Analysis Center (Health-ISAC) to get a U.S. court order enabling them to disrupt the malicious infrastructure criminals use. The order redirects internet traffic from Cobalt Strike-infected computers into sinkhole servers, cutting off connections to the bad actors’ command and control centers.
The partners will continue to work with other cybersecurity companies, internet service providers and computer emergency response teams to identify and take down servers that host illegal versions of Cobalt Strike. This will help deprive criminals of the tools they rely on to launch their attacks and force them to change their tactics.
This approach is a new way for DCU to work — rather than disrupting the command and control of a specific ransomware family, DCU and Fortra are removing illegal legacy copies of Cobalt Strike so criminals can’t use them. It won’t stop cybercriminals from trying to revive thwarted attacks, but it will make it harder for them to succeed.
Microsoft’s Digital Crimes Unit (DCU)
Cybercriminals use unlicensed penetration testing tools such as Cobalt Strike to gain backdoor access to computers and then deploy ransomware or other malware. A 2021 investigation by cybersecurity reporter Brian Krebs found that hackers value this tool so highly that one gang reportedly paid $30,000 for legitimate Cobalt Strike licenses and then distributed them to other criminal groups. Hackers have also used this tool to evade detection by antimalware tools and thwart detection by antivirus engines.
Fortra devotes significant resources to stopping the illegal exploitation of its software, and uses stringent customer vetting practices to ensure that only legitimate security practitioners can purchase Cobalt Strike licenses. However, criminals have stolen older versions of the software and created cracked copies that allow them to gain access to and then exploit systems. We’ve seen these tools used to conduct destructive attacks against government and health care systems, such as the attack on Ireland’s national healthcare system, the Health Service Executive, in May 2021, which led to a ransomware attack by the infamous Conti family of malware.
Today, Microsoft’s Digital Crimes Unit (DCU), working with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), has been granted a U.S. court order to disrupt the malicious infrastructure associated with this activity. DCU and Fortra are working with internet service providers and computer emergency readiness teams to take the infrastructure offline – effectively cutting off the connection between criminal operators and infected systems.