Microsoft, cybersecurity firm Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) have taken legal and technical action to prevent the abuse of the Cobalt Strike exploitation tool, as well as the abuse of Microsoft software. Cobalt Strike is a legitimate post-exploitation tool designed by Fortra to be used for adversary simulation and has been widely abused, including by cybercriminals running ransomware operations and state-sponsored threat groups. Health-ISAC is involved in this operation because the exploitation tool has been observed in 68 ransomware attacks that hit healthcare organizations across 19 countries.
In addition to the abuse of Cobalt Strike, Microsoft said its own SDKs and APIs have been leveraged by threat actors to develop and distribute malware. Microsoft, Fortra, and Health-ISAC have taken action to disrupt the infrastructure used by the attackers, such as domains and hosting servers, which was achieved through a court order issued on March 31 by a New York district court. ISPs and CERTs have helped Microsoft and Fortra take down attacker infrastructure and block the hackers’ access to infected devices.
The lawsuit filed by Microsoft, Fortra and Health-ISAC names 16 John Does as plaintiffs, who are members of the Conti, BlackCat and LockBit ransomware groups, initial access brokers, and members of the Evil Corp cybercrime group. Microsoft and Fortra’s actions come just months after Google announced the release of Yara rules and a VirusTotal Collection to help detect malicious use of Cobalt Strike.
Microsoft’s Digital Crimes Unit GM, Amy Hogan-Burney, stated that disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics. This action also includes copyright claims against the malicious use of Microsoft and Fortra’s software code which are altered and abused for harm.
Microsoft, Fortra, and Health-ISAC have taken legal and technical action to prevent the abuse of the Cobalt Strike exploitation tool and Microsoft software. The action taken includes disrupting the infrastructure used by the attackers, such as domains and hosting servers, with the help of ISPs and CERTs. Microsoft, Fortra, and Health-ISAC have also filed a lawsuit against 16 John Does and have taken copyright claims against the malicious use of Microsoft and Fortra’s software code. Google has also released Yara rules and a VirusTotal Collection to help detect malicious use of Cobalt Strike.
Key Points:
• Microsoft, Fortra, and Health-ISAC have taken legal and technical action to prevent the abuse of the Cobalt Strike exploitation tool, as well as the abuse of Microsoft software.
• The action taken includes disrupting the infrastructure used by the attackers, such as domains and hosting servers, with the help of ISPs and CERTs.
• Microsoft, Fortra, and Health-ISAC have filed a lawsuit against 16 John Does and have taken copyright claims against the malicious use of Microsoft and Fortra’s software code.
• Google has released Yara rules and a VirusTotal Collection to help detect malicious use of Cobalt Strike.