Cybercriminals are abusing security tools—here’s how we’re stopping them

By Microsoft Security

Cybercriminals are constantly looking for novel ways to evade detection and enact harm. Outdated copies of common security tools have become one avenue. Microsoft, cybersecurity software company Fortra™ and the Health Information Sharing and Analysis Center (Health-ISAC) recently came together to combat this issue.

On March 31, 2023, the U.S. District Court for the Eastern District of New York issued a court order allowing Microsoft, Fortra, and Health-ISAC to disrupt the malicious infrastructure criminals use to facilitate their attacks. Cobalt Strike, which is provided by Fortra, is a legitimate and popular post-exploitation tool used for adversary simulation; however, threat actors will sometimes abuse and alter older versions of the software. These illegal copies are referred to as “cracked” and have been used to launch destructive attacks, such as those against the Government of Costa Rica and the Irish Health Service Executive. Microsoft software development kits and APIs have also been abused as part of the malware coding and distribution infrastructure to target and mislead victims.

The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world. These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging, and laboratory results, canceled medical procedures, and delays in delivery of chemotherapy treatments, just to name a few.

The court order issued by the U.S. District Court for the Eastern District of New York enables Microsoft to notify relevant internet service providers (ISPs) and computer emergency readiness teams (CERTs) who assist in taking the infrastructure offline, effectively severing the connection between criminal operators and infected victim computers.

Disrupting criminal activity through legal avenues

The cybersecurity community will need to be persistent to successfully take down the cracked, legacy copies of Cobalt Strike hosted around the world. In the past, Microsoft’s Digital Crimes Unit has focused on disrupting the command and control infrastructure of malware families. Now, the team has pivoted its approach to combining technical and legal action to target the abuse of security tools used by a broad spectrum of cybercriminals.

Fortra and Microsoft’s investigation efforts included detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen our legal case from a global network of partners, including Health-ISAC, the Fortra Cyber Intelligence Team, and the Microsoft Threat Intelligence team. Our action focuses solely on disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software.

Disrupting cracked legacy copies of Cobalt Strike significantly hinders cybercriminals’ ability to monetize and use these illegal copies in cyberattacks. Additionally, the joint litigation involves copyright claims against the malicious use of Microsoft and Fortra’s software code, which is altered and abused for harm.

Continuing the fight against threat actors

Fortra has taken considerable steps to prevent the misuse of its software, including stringent customer vetting practices. As criminals have adapted their techniques, Fortra has adapted the security controls in the Cobalt Strike software to eliminate the methods used to crack older versions of Cobalt Strike.

While the exact identities of those conducting the criminal operations are currently unknown, Fortra and Microsoft detected malicious infrastructure across the globe, including in China, the United States, and Russia.

Responding to this threat will take a coordinated effort from public and private sector entities. One of the best ways that organizations can contribute to a collectively strengthened cybersecurity posture is by aligning with broadly agreed-upon best practices like Zero Trust.

This model focuses on using explicit verification, least-privileged access, and assumed breach to disrupt cyber-criminal activity.

Microsoft, Fortra and Health-ISAC are also collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF) and Europol’s European Cybercrime Centre (EC3) on this case. While these actions will impact the criminals’ immediate operations, the companies anticipate criminals will attempt to revive their efforts. Through ongoing coordinated legal and technical action, Microsoft, Fortra and Health-ISAC will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike.

To stay up to date with the latest trends in cybercriminal activity, visit Microsoft Security Insider.