Microsoft Gets Court Order to Sinkhole Cobalt Strike TrafficOrder Affects Malicious Domains, Server IP Addresses Hosted by US Data Centers
A common thread in ransomware incidents is hackers' use of penetration testing tool Cobalt Strike. U.S. federal agencies have issued repeated warnings, particularly to the health sector, to be vigilant for its presence. Google in late 2022 released code allowing antivirus engines to detect it.
Now, Cobalt Strike maker Fortra, Microsoft and the Health Information Sharing and Analysis Center have obtained a U.S. federal court order redirecting into sinkhole servers the internet traffic from Cobalt Strike-infected computers sent to command-and-control centers controlled by bad actors. The order affects server internet protocol addresses hosted by data centers across the United States and a slew of malicious domains.
"Instead of disrupting the command and control of a malware family, this time we are working with Fortra to remove illegal legacy copies of Cobalt Strike so they can no longer be used by cybercriminals, said Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit.
A complaint filed in the U.S. District Court for the Eastern District of New York by the three plaintiffs details a history of unlicensed versions of Cobalt Strike being used by hackers to pave the way for ransomware attacks by the likes of LockBit and Conti and its many spinoff groups.
Hackers used unlicensed versions of Cobalt Strike during a May 2021 hack of the Irish national health system that led to a ransomware attack by Conti - an incident that led to the malicious encryption of 80% of Health Service Executive data and hundreds of millions of dollars in remediation costs (see: Irish Healthcare Ransomware Hack Cost Over 80 Million Euros).
Conti used them again in 2022 in a chaos-sowing ransomware attack against the government of Costa Rica, in which security researchers detected "more than 10 Cobalt Strike beacon sessions."
First coded in 2012, Cobalt Strike was one of the first widely available penetration testing tools. It has grown in sophistication over the past decade and now allows users to send conduct reconnaissance and phishing emails and drop additional malware on infected systems. Proofpoint said in 2021 that it had witnessed a 161% increase in the use of the tool by threat actors from 2019 to 2020. Before Conti splintered in 2022, it valued the tool so much that it paid a legitimate company $30,000 to secretly buy licenses for it, cybersecurity reporter Brian Krebs wrote last year.
At least six healthcare organizations in the United States that have been hit with ransomware attacks showed indicators of a previous Cobalt Strike infection, said Errol Weiss, chief security officer of the Health-ISAC.
"We've got hospitals whose entire electronic health records goes down, they can't accept patients, hospitals are being diverted," he told Information Security Media Group of the effect of ransomware attacks.
The Department of Health and Human Services in October warned healthcare organizations that Cobalt Strike infections have been rising. The tool's use isn't limited to ransomware hackers, it cautioned - nation-state threat actors have also embraced it. Microsoft said hacking groups acting in the interests of foreign governments - including Russia, China, Vietnam and Iran - using unlicensed or stolen copies of Cobalt Strike.