U.S. software firm Fortra said it has 'seized and sinkholed' more than 200 malicious domains and has prevented further exploitation of its Cobalt Strike penetration testing tool by threat actors through its partnership with Microsoft's Digital Crimes Unit and the Health Information Sharing and Analysis Center.
WHY IT MATTERS
Insufficient privilege access management and improper configurations can prevent cybercriminals from abusing tools like Cobalt Strike, but getting unauthorized copies of the powerful attack platform used by security professionals out of their hands is beginning to show results, according to a new Cobalt Strike blog by Fortra's Bob Erdman, associate vice president of research and development, and Peter Ceelen, product owner.
Microsoft joined Fortra and H-ISAC to take technical and legal action against ransomware groups using illegal legacy copies of Fortra’s threat simulation tool and compromised Microsoft software to target healthcare organizations in April 2023.
Ahead of the second anniversary of its partnership with Microsoft's DCU and H-ISAC, Erdman and Ceelen said the number of unauthorized copies of Cobalt Strike observed in the wild has decreased by 80%.
It's a drastic reduction of what is loose in the wild and available to cybercriminals to abuse in their attacks on healthcare and other organizations.
"This reduction has had a tangible impact, with these tools now being abused far less often," they said. "Additionally, the average dwell time -- the period between initial detection and takedown -- has been reduced to less than one week in the United States and less than two weeks worldwide."
Fortra said it also supported the three-year international cyber investigation dubbed Operation MORPHEUS which seeks to sever connections to "cracked" copies of Cobalt Strike used in numerous past ransomware attacks on healthcare organizations.
As part of that effort to take down known IP addresses and domain names associated with criminal activity, the company said 690 IP addresses associated with online service providers in 27 countries were flagged as targets for disabling unauthorized versions of its threat simulation tool. Erdman and Ceelen said 593 of these addresses were taken down.
The campaign to combat the malicious use of unauthorized copies continues to evolve, they noted in the blog.
THE LARGER TREND
Whether it's Conti ransomware, Rhysida Group or other cyberattack organizations, the exploitation of legitimate cybersecurity tools used by healthcare organizations can be minimized according to industry best practices, such as strengthening access management policies under the National Institute of Standards and Technology and adopting Zero Trust principles.
"Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware," the Federal Bureau of Investigation said in a 2021 alert.
ON THE RECORD
"Collaboration is essential in advancing cybersecurity overall," Erdman and Ceelen said in the blog. "This not only strengthens the collective defense against cybercriminals, but also ensures that legitimate security tools can continue to be used responsibly and effectively to protect organizations worldwide."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.