Health-ISAC, Microsoft take technical, legal action to stop cybercriminals from abusing security tools

Health-ISAC, Microsoft take technical, legal action to stop cybercriminals from abusing security tools

The Health Information Sharing and Analysis Center (Health-ISAC) and Microsoft’s Digital Crimes Unit (DCU), cybersecurity software company Fortra are taking technical and legal action to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software, which has been used by cybercriminals to distribute malware, including ransomware. Assessing that while the scope is greater and the operation is more complex, it is a change in how DCU has worked in the past. Instead of disrupting the command and control of a malware family, this time, action is being taken to remove illegal, legacy copies of Cobalt Strike so they can no longer be used by cybercriminals.

The U.S. District Court for the Eastern District of New York issued last Friday a court order allowing Microsoft, Fortra, and Health-ISAC to disrupt the malicious infrastructure used by criminals to facilitate their attacks, Amy Hogan-Burney, general manager at Microsoft’s Digital Crimes Unit, wrote in a Thursday blog post. “Doing so enables us to notify relevant internet service providers (ISPs) and computer emergency readiness teams (CERTs) who assist in taking the infrastructure offline, effectively severing the connection between criminal operators and infected victim computers,” she added.

Hogan-Burney added that there exists a ‘need to be persistent’ as the taking down of the cracked, legacy copies of Cobalt Strike hosted around the world takes place. “This is an important action by Fortra to protect the legitimate use of its security tools. Microsoft is similarly committed to the legitimate use of its products and services. We also believe that Fortra choosing to partner with us for this action is recognition of DCU’s work fighting cybercrime over the last decade. Together, we are committed to going after the cybercriminal’s illegal distribution methods.”

“Microsoft, Fortra, and Health-ISAC remain relentless in our efforts to improve the security of the ecosystem, and we are collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF), and Europol’s European Cybercrime Centre (EC3) on this case,” Hogan-Burney wrote. “While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done. Through ongoing legal and technical action, Microsoft, Fortra, and Health-ISAC, along with our partners, will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike.”

The initiative by the Health-ISAC and Microsoft comes in the wake of ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world. These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging, and laboratory results, canceled medical procedures, and delays in delivery of chemotherapy treatments, just to name a few.

Hogan-Burney detailed that Cobalt Strike is a legitimate and popular post-exploitation tool used for adversary simulation provided by Fortra. Sometimes, older versions of the software have been abused and altered by criminals. “These illegal copies are referred to as “cracked” and have been used to launch destructive attacks, such as those against the Government of Costa Rica and the Irish Health Service Executive. Microsoft software development kits and APIs are abused as part of the coding of the malware as well as the criminal malware distribution infrastructure to target and mislead victims,” she added.

While the exact identities of those conducting the criminal operations are currently unknown, Hogan-Burney wrote that “we have detected malicious infrastructure across the globe, including in China, the United States, and Russia. In addition to financially motivated cybercriminals, we have observed threat actors acting in the interests of foreign governments, including from Russia, China, Vietnam, and Iran, using cracked copies.”

“Fortra and Microsoft’s investigation efforts included detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen our legal case from a global network of partners, including Health-ISAC, the Fortra Cyber Intelligence Team, and Microsoft Threat Intelligence team data and insights,” Hogan-Burney wrote. ”Our action focuses solely on disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software.”

Microsoft is also expanding a legal method used successfully to disrupt malware and nation-state operations to target the abuse of security tools used by a broad spectrum of cybercriminals, she added. “Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics. Today’s action also includes copyright claims against the malicious use of Microsoft and Fortra’s software code which are altered and abused for harm,” Hogan-Burney wrote.

Fortra has taken considerable steps to prevent the misuse of its software, including stringent customer vetting practices. However, criminals are known to steal older versions of security software, including Cobalt Strike, creating cracked copies to gain backdoor access to machines and deploy malware. “We have observed ransomware operators using cracked copies of Cobalt Strike and abused Microsoft software to deploy Conti, LockBit, and other ransomware as part of the ransomware as a service business model,” the post added.

Threat actors use cracked copies of the software to speed up their ransomware deployment on compromised networks. The attack flow has been documented highlighting contributing factors, including spear phishing and malicious spam emails to gain initial access, as well as the abuse of code stolen from companies like Microsoft and Fortra.

Last week, the H-ISAC released its 2022 Annual Report that exemplifies global collaboration for resilience in the healthcare sector. The report highlights various services delivered over the year, including developing a customized exercise program, publishing its first Annual Threat Report, devoting resources and expertise to medical device security, and producing 275 targeted alerts, 87 threat bulletins, 144 vulnerability bulletins, and 197 finished intelligence reports, among other vital information. In addition, H-ISAC shared over 21,000 highly curated indicators of compromise (IOCs) and two pre-public vulnerability notifications with its members. 

“To collaborate is to partner and to commit to the possibility of producing an outcome greater than would be developed in a silo,” Denise Anderson, president and CEO of the Health-ISAC, wrote in the report. “Resilience is the capacity to withstand and/or recover quickly. At Health-ISAC we combine resources and information to make sure all of us are able to continue to deliver despite the threats we face. We are stronger and more resilient together.”

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Webinar: State of Zero Trust in the Industrial Enterprise

Register: April 10, 2024, at 8am PDT | 11am CDT | 5pm CEST

Related