Microsoft is taking technical and legal action against Cobalt Strike abuse, a red teaming tool commonly deployed in ransomware attacks.
Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit, detailed in a blog post Thursday the private sector's latest efforts to crack down on cyber adversaries illegally using Cobalt Strike to conduct cyber attacks. Cobalt Strike was first introduced in 2012 as an adversary simulation platform and was acquired by software vendor Fortra, formerly known as HelpSystems, in 2020.
While the U.S. government and large organizations use the red teaming tool to test network defenses, cybercriminals commonly steal older versions of the security software and alter it for malicious purposes. Hogan-Burney wrote that illegal, or "cracked," Cobalt Strike instances have previously been used in attacks against the government of Costa Rica and the Irish Health Service Executive.
Cracked copies of Cobalt Strike are also used in conjunction with compromised Microsoft software.
"Microsoft software development kits and APIs are abused as part of the coding of the malware, as well as the criminal malware distribution infrastructure to target and mislead victims," Hogan-Burney wrote in the blog.
Microsoft announced Thursday that in collaboration with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), it obtained a court order on March 31 to seize domains and knock illegal Cobalt Strike infrastructure offline.
Issued by the U.S. District Court for the Eastern District of New York, Microsoft said in its blog post that the order "enables us to notify relevant internet service providers (ISPs) and computer emergency readiness teams (CERTs) who assist in taking the infrastructure offline, effectively severing the connection between criminal operators and infected victim computers."
In addition to cracked Cobalt Strike copies, the legal action includes the ability to make copyright claims against the malicious use of Microsoft and Fortra's software code.
While Microsoft has led legal takedowns in the past, Hogan-Burney noted a greater scope and more complex operation for the Cobalt Strike crackdown.
"Instead of disrupting the command and control of a malware family, this time, we are working with Fortra to remove illegal, legacy copies of Cobalt Strike so they can no longer be used by cybercriminals," the blog post read.
Hogan-Burney highlighted how Microsoft hopes the action will "significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics." However, the vendor is aware it may not glean long-term effects.
In an email to TechTarget Editorial, Hogan-Burney said that while this action will affect criminals' immediate operations, Microsoft fully anticipates they will revive their efforts. She referred to the type of legal action Microsoft and Fortra will employ as "advanced persistent disruption."
"After we execute the temporary restraining order, we are going to seek a permanent injunction because we believe this activity will continue by the cybercriminals," Hogan-Burney said. "They will look to move hosting sites for the cracked, legacy versions of Cobalt Strike because it is an effective tool for them."
Christopher Glyer, principal security researcher at Microsoft, shared similar sentiments in a tweet Friday. A key takeaway of the announcement, he said, is the legal authority to take down attacker infrastructure on an ongoing basis.
In the crime space especially - C2 infra is re-used across multiple victims— Christopher Glyer (@cglyer) April 7, 2023
This isn’t just a one time takeover of several hundred C2 domains & infrastructure (which by itself is helpful for defenders)…but introducing ongoing friction/disruption/surprise to attacker operations pic.twitter.com/wFmodSqA5O
Bob Erdman, associate vice president of research and development at Fortra, told TechTarget Editorial via email that it has taken months of targeted hard work and joint investigations to have reached this step.
"Cobalt Strike is not the first software tool to be targeted by threat actors, and unfortunately it won't be the last," Edrman said. "However, the industry as a whole must work together to limit threat actor activity and prevent cyber attacks."
Operators behind Conti and LockBit, two highly active ransomware groups, have used cracked Cobalt Strike copies to deploy ransomware. While Cobalt Strike is used to distribute a variety of malware, Microsoft emphasized that ransomware is a typical end game.
"The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world," the blog read.
Similarly, Trellix researchers have also observed Cobalt Strike's use in Royal ransomware attacks.
Microsoft is not the first major cybersecurity vendor to attempt to curb Cobalt Strike abuse, which has been an ongoing issue. Last year, Google dedicated a set of open source YARA rules to help organizations better detect malicious instances of Cobalt Strike.
Arielle Waldman is a Boston-based reporter covering enterprise security news.