Microsoft has partnered up with Fortra and the Health Information Sharing and Analysis Center, to get rid of cybercriminals abusing Cobalt Strike, a legitimate post-exploitation tool. The tech giant’s Digital Crimes Unit (DCU) has secured a court order the in the US to remove any illegal or legacy copies of Cobalt Strike to prevent them from falling into the hands of cybercriminals.
Cobalt Strike was developed by Fortra, who still maintains it today. While the tool was meant to be used for adversary simulation, illegal cracked versions of the program have been abused by hackers for quite some time now. Other than the legal measures, this action also includes copyright claims against the “malicious use of Microsoft and Fortra’s software code which are altered and abused for harm”.
The problem is especially bad when it comes to ransomware, as Cobalt Strike can come in handy to escalate privileges and move laterally across a network, both great things if you’re looking to encrypt as many files on as many computers as possible.
Overall, according to Microsoft DCU general manager Amy Hogan-Burney, ransomware families associated with or deployed using cracked versions of Cobalt Strike have so far been associated with more than 68 ransomware attacks affecting healthcare organisations in over 19 countries. Conti and Lockbit are two of the most popular ransomware families that have used Cobalt Strike, in addition to other ransomware-as-a-service business models.
So far, there are at least 34 different hacked release versions of Cobalt Strike out in the wild as identified by Google Cloud. The abuse doesn’t stop at just Cobalt Strike either. Microsoft SDKs and APIs are also abused as part of malware coding as well as the criminal malware distribution infrastructure that targets and misleads victims.
In the News: Twitter’s Shadow Ban vulnerability is now official