The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Microsoft, Fortra, and Health-ISAC Join Forces to Disrupt Malicious Use of Cobalt Strike

Posted By on Apr 11, 2023

Microsoft has announced that its Digital Crimes Unit, the Health Information Sharing and Analysis Center (Health-ISAC), and the cybersecurity firm Fortra are taking action to prevent the legitimate red team post-exploitation tool, Cobalt Strike, from being illegally used by malicious actors for delivering malware and ransomware.

Cobalt Strike is a collection of tools used for adversary simulation that can be used to replicate the tactics and techniques of advanced threat actors in a network and emulate quiet, long-term actors with persistent access to networks. The tool was first developed in 2012 and fast became one of the most widely adopted tools among penetration testers. Cobalt Strike has grown in sophistication over the years, its functionality has been significantly enhanced, and it is part of Fortra’s cybersecurity portfolio.

While the tool is incredibly useful for red team operations, cracked copies of the tool have been circulated within the cybercriminal community and malicious use of the tool by cybercriminals is now increasing. Cobalt Strike is used by multiple ransomware gangs, including Lockbit and Conti, before the group split in 2022. Microsoft reports that Cobalt Strike has been used in more than 68 ransomware attacks on healthcare providers in more than 19 countries around the world. The attacks have prevented access to electronic health records, disrupted critical patient care services, resulted in delays to diagnosis and treatment, and have cost healthcare organizations millions of dollars in recovery and repair costs. The tool was also used in the devastating attack on the Health Service Executive in Ireland and the recent attack on the Government of Costa Rica.

Fortra has taken action to prevent the illegal use of Cobalt Strike, including stringent vetting processes for new customers; however, malicious actors have been using older, cracked versions of the tool to gain backdoor access to machines for distributing malware and accelerating the deployment of ransomware. Microsoft says the exact identities of the malicious actors using the tool are not known, but malicious infrastructure used by those threat actors has been detected in Russia, China, and the United States. In addition to misuse of the tool by financially motivated cybercriminals, advanced persistent threat actors from Russia, China, Vietnam, and Iran are known to have used cracked versions of Cobalt Strike.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Microsoft, Fortra, and Health-ISAC have joined forces to increase efforts to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software. In contrast to Microsoft’s typical efforts to combat cybercrime by disrupting the command-and-control infrastructure of malware families, efforts are being made to remove illegal, legacy copies of Cobalt Strike to prevent further use by malicious actors.

On March 31, 2023, the U.S. District Court for the Eastern District of New York issued a court order allowing Microsoft, Fortra, and Health-ISAC to disrupt the infrastructure used by criminals to facilitate attacks in more than 19 countries. Relevant Internet Service Providers (ISPs) will be notified about the malicious use of the tool and computer emergency readiness teams (CERTs) will assist in taking the infrastructure offline and disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software. Microsoft, Fortra, and Health-ISAC will also be collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF), and Europol’s European Cybercrime Centre (EC3) to prevent misuse of Cobalt Strike.

“Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics,” explained Microsoft. “Today’s action also includes copyright claims against the malicious use of Microsoft and Fortra’s software code which are altered and abused for harm.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist