According to an April 6 blog post, on March 31, 2023, the U.S. District Court for the Eastern District of New York has issued a court order allowing Microsoft, cybersecurity software company Fortra, and Health Information Sharing and Analysis Center (Health-ISAC) to disrupt malicious infrastructure used by criminals to facilitate attacks on hospitals. The court order allows the organizations to take actions to disrupt cracked, legacy copies of Cobalt Strike—a customizable attack framework intended to be used by penetration testers and security red teams to simulate a real cyberthreat—and abused Microsoft software that cybercriminals use to distribute malware and ransomware.
The blog says that “We will need to be persistent as we work to take down the cracked, legacy copies of Cobalt Strike hosted around the world. This is an important action by Fortra to protect the legitimate use of its security tools. Microsoft is similarly committed to the legitimate use of its products and services. We also believe that Fortra choosing to partner with us for this action is recognition of DCU’s [Microsoft’s Digital Crime Unit] work fighting cybercrime over the last decade. Together, we are committed to going after the cybercriminal’s illegal distribution methods.”
Further, “Cobalt Strike is a legitimate and popular post-exploitation tool used for adversary simulation provided by Fortra. Sometimes, older versions of the software have been abused and altered by criminals. These illegal copies are referred to as ‘cracked’ and have been used to launch destructive attacks, such as those against the Government of Costa Rica and the Irish Health Service Executive. Microsoft software development kits and APIs are abused as part of the coding of the malware as well as the criminal malware distribution infrastructure to target and mislead victims.”
Ransomware gangs associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries, according to the blog. These attacks have not only cost hospital systems millions of dollars in recovery costs, but also caused disruption to critical patient care services.
“Microsoft is also expanding a legal method used successfully to disrupt malware and nation state operations to target the abuse of security tools used by a broad spectrum of cybercriminals,” the blog adds. “Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics. Today’s action also includes copyright claims against the malicious use of Microsoft and Fortra’s software code which are altered and abused for harm.”
