Microsoft and Fortra are taking legal and technical actions to thwart cyber-criminals from using the latter company’s Cobalt Strike software to distribute malware.
Microsoft’s Digital Crimes Unit (DUC), Fortra, and Health Information Sharing and Analysis Center (Health-ISAC) filed a 223-page complaint against multiple groups known to have used older and altered versions of Cobalt Strike in dozens of ransomware attacks.
The US District Court for the Eastern District of New York on March 31 issued a court order allowing Microsoft and Fortra to take down IP addresses that are hosting cracked versions of Cobalt Strike and seize the domain names. They also can notify ISPs and computer emergency readiness teams (CERTs) to help take the infrastructure offline and cut off connections with the victims’ computers.
The broad action taken by the companies is a departure from previous methods used by DCU, according to Amy Hogan-Burney, general manager of the Microsoft security unit.
“This is a change in the way DCU has worked in the past – the scope is greater, and the operation is more complex,” Hogan-Burney wrote in a blog post. “Instead of disrupting the command and control of a malware family, this time, we are working with Fortra to remove illegal, legacy copies of Cobalt Strike so they can no longer be used by cybercriminals.”
Ongoing abuse of Cobalt Strike
Fortra developed Cobalt Strike more than a decade ago as a legitimate penetration tool used to simulate adversary actions.
However, criminals have used Cobalt Strike to gain backdoor access to targeted systems, steal data, and deploy malware, in particular ransomware like Conti, LockBit, and BlackBasta as part of the ransomware-as-a-service model.
Miscreants typically use older cracked versions of the software in their operations, including in high-profile attack like those on the government of Costa Rica and Ireland’s Health Service Executive. Ransomware families known to use cracked copies of Cobalt Strike were linked to almost 70 attacks against healthcare organizations in more than 19 countries, according to Microsoft.
“Microsoft software development kits and APIs are abused as part of the coding of the malware as well as the criminal malware distribution infrastructure to target and mislead victims,” Hogan-Burney wrote, adding that “disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics.”
It’s a global problem
Redmond said that while it doesn’t know the exact identities of those behind attacks using cracked copies of Cobalt Strike, it has found malicious infrastructure around the world in places like the US, China, and Russia. The criminal gangs using it are not only in it for the money but include others working for nation-states like Russia, China, Vietnam, and Iran.
Fortra has taken steps to slow the abuse of its Cobalt Strike tool, including vetting, but it’s difficult to control what miscreants do with older illegal copies of the software.
In November 2022, Google’s Cloud Threat Intelligence unit took steps to help organizations protect against cracked or leaked versions of Cobalt Strike. The group identified 34 such versions being used in the wild and rolled out 165 open-source YARA rules – ways to identify malware by creating rules that detect particular characteristics – and a list of indicators of compromise.
“Our goal was to make high-fidelity detections to enable pinpointing the exact version of particular Cobalt Strike components,” Google wrote.
A month later, Palo Alto Network’s Unit 42 group wrote that security teams could detect malware samples using Cobalt Strike by analyzing artifacts in process memory.
Microsoft cites copyright, RICO acts
In their extensive lawsuit, Microsoft, Fortra, and Health-ISAC cite violations of the Digital Millennium Copyright Act, the Copyright Act, the Computer Fraud and Abuse Act, and the Electronics Communications Privacy Act, among others. They also cite the Racketeer Influenced and Corrupt Organizations (RICO) Act, alleging conspiracies.
They also are collaborating with such law enforcement agencies as the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF), and Europol’s European Cybercrime Centre (EC3).
“While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts,” Hogan-Burney wrote. “Our action is therefore not one and done.”
Cobalt Strike isn’t the only legitimate software tool used in cyberattacks. Microsoft has seen some of its software, such as its BitLocker encryption tool, abused by miscreants. A malicious toolkit called AlienFox being sold via Telegram and other avenues is using scanning platforms like LeakIX and SecurityTrails in its operations. ®