Microsoft’s Digital Crimes Unit (DCU), a cybersecurity software company Fortra™ and the Center for Health Information Sharing and Analysis (Health-ISAC) are taking technical and legal steps to disrupt cracked Cobalt Strike and misused Microsoft software used by cybercriminals to distribute malware, including ransomware. This is a change in the way the DCU used to work – the scope is greater, and the operation is more complicated. Instead of disrupting the command and control of the malware family, this time, we’re working with Fortra to prevent illegal copies of CobaltStroke from being used by cybercriminals.
We need persistence as we work to download the cracked copies of Cobalt Strike hosted around the world. This is an important step by Fortra to protect the legitimate use of its security tools. Microsoft is similarly committed to the legal use of its products and services. We also believe that Fortra’s choice to partner with us in this endeavor is recognition of DCU’s work in the fight against cybercrime over the last ten years. Together, we are committed to going after cybercriminals’ illegal distribution methods.
Cobalt Strike is a legitimate and popular post-exploit tool for enemy simulation provided by Fortra. Sometimes older versions of the software are abused and modified by criminals. These illegal copies are called “cracks” and are used to carry out destructive attacks against attackers. Government of Costa Rica and the Irish Health Service Executive. Microsoft’s software development kits and APIs are often abused as part of the malware codebase as well as the criminal malware distribution infrastructure to target and mislead victims.
Ransomware families linked to cracked copies of Cobalt Strike have affected healthcare organizations in more than 19 countries around the world in more than 68 ransomware attacks. These attacks have cost hospital systems millions of dollars in recovery and repair costs, as well as disruptions to critical patient care services, including delayed diagnostic, imaging and laboratory results, canceled medical procedures, and delays in chemotherapy treatments, to name a few.
Disruptive elements and strategy
In the year On March 31, 2023, the US District Court for the Eastern District of New York issued a court order ordering Microsoft, Fortra, and Health-ISAC to disrupt the malicious infrastructure that criminals use to facilitate their attacks. Doing so allows us to effectively sever communications between criminal operators and infected computers for the relevant Internet Service Providers (ISPs) and Computer Emergency Preparedness Teams (CERTs) who help take the infrastructure offline.
Fortra and Microsoft’s investigative efforts include access, telemetry and reverse engineering, with additional data and insights to strengthen our legal case from a global network of partners, Health-ISAC, Fortra’s Cyber Intelligence Group and Microsoft’s Threat Intelligence Group. and insights. Our practice focuses only on cracking cracked, old copies of Cobalt Strike and corrupt Microsoft software.
Microsoft is expanding a legal system that has been successfully used to attack malware and disrupt the operations of the nation’s government to exploit the misuse of security tools widely used by cybercriminals. Disabling cracked copies of Cobalt Strike significantly hinders the monetization of these illegal copies and slows their use in cyberattacks, forcing criminals to reevaluate and change their tactics. Today’s action also includes copyright claims for malicious modification and misuse of Microsoft and Fortra’s software code.
Abuse by cyber criminals
Fortra has taken extensive measures to prevent misuse of its software, including strict customer vetting practices. But criminals have been known to steal old security software, including CobaltStroke, create cracked copies to gain backdoor access to machines, and deploy malware. We’ve seen ransomware operators use cracked copies of CobaltStroke and deploy Microsoft software Conti, LockBit, and other ransomware as part of it. Ransomware as a service Business model.
Threat actors use cracked software copies to speed up their ransomware deployments on compromised networks. The diagram below shows the attack flow, highlighting potential scenarios that include phishing and malicious spam emails to gain initial access, as well as misuse of code stolen from companies such as Microsoft and Fortra.
While the exact identity of the perpetrators remains unknown, we have discovered malicious infrastructure around the world, including in China, the United States, and Russia. In addition to financial cybercriminals, we’ve also seen crackdowns being used by threat actors serving the interests of foreign governments, including Russia, China, Vietnam, and Iran.
Continue the fight against threat actors
Microsoft, Fortra and Health-Isaac are relentless in our efforts to improve the security of the ecosystem, and we are collaborating with the FBI Cyber Unit, the National Cyber Investigator Joint Task Force (NCIJTF) and Europol’s European Cyber Crime Center (EC3) on this issue. . While this move will impact the immediate operations of criminals, we fully expect that they will try to revive their efforts. So our step is not one and done. Through ongoing legal and technical action, Microsoft, Fortra and Health-ISAC, along with our partners, will continue to monitor and take action to disrupt further criminal activity, including the use of cracked copies of Cobalt Stroke.
Fortra devotes significant computing and human resources to combating illegal use of the software and Cobalt Stroke copies. Legitimate security professionals who purchase a Cobalt Strike license are certified by Fortra and are required to comply with usage restrictions and export controls. Fortra actively works with social media and file sharing websites to remove cracked copies of Cobalt Stroke when they appear on those web properties. As criminals adapt their techniques, Fortra has modified the security controls in the Cobalt Strike software to remove methods used to break older versions of Cobalt Strike.
In the year As we have since 2008, Microsoft’s DCU will continue its efforts to protect its customers by filing civil lawsuits to stop the spread of malware. We also continue to work with ISPs and CERTs to identify and remediate victims.
Tags: Cobalt, DCU, Digital Crimes Unit, Interruption, Fortra