Microsoft’s Digital Crimes Unit (DCU), security software vendor Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC), have joined forces to remove cracked legacy copies of Cobalt Strike by way of legal and technical action.
Cobalt Strike, sold by Fortra, is a reputable and popular post-exploitation security tool, but its older versions have become a favorite for cybercriminals to employ in nefarious activities. Pulling these legacy copies globally is a new approach for Microsoft’s DCU, and it’s aimed at cutting off the threat at the source: illegal distribution of compromised, malicious software.
Using maliciously altered versions of the Cobalt Strike software, threat actors have targeted healthcare organizations in nearly 70 ransomware attacks in 19 countries.
Threat actors, including ransomware groups and nation-state actors, use Cobalt Strike after obtaining initial access to a target network. The tool is used to conduct multiple malicious activities, including escalating privileges, lateral movements, and deploying additional malicious payloads
The attacks caused huge financial damages to the attacked hospitals in recovery and repair costs, plus interruptions to critical patient care services. Microsoft also observed nation-state actors, including APT groups from Russia, China, Vietnam, and Iran, using cracked copies of Cobalt Strike.
Earlier in the year 2022, Google TAG also reported on the same Cobalt strike that has many libraries used in the attacks
Microsoft, along with partners, will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike.