Malicious Cobalt Strike Servers

A recent collaboration between Microsoft’s Digital Crimes Unit (DCU), Fortra, and the Health-ISAC has resulted in a significant legal crackdown targeting servers hosting cracked and illicit versions of Cobalt Strike.

Since threat actors actively use this tool, Cobalt Strike is one of their most essential tools for hacking.

As a company dedicated to protecting the legitimate use of its security tools, Fortra has undertaken this vital action to protect such use. 

Additionally, Microsoft takes a similar approach to ensuring that its services and products are used legitimately.

The most imperative thing to be followed is to remain persistent in removing the cracked copies of Cobalt Strike currently being hosted worldwide.

Disruption Plan

In an attempt to allow Microsoft, Fortra, and Health-ISAC to destroy and seize the complete malicious infrastructure of the threat actors, a court order has been issued by the U.S. District Court for the Eastern District of New York on March 31, 2023.

The ultimate objective of enlisting the assistance of pertinent CERTs and ISPs is to make all the malicious infrastructure nonfunctional.

While apart from this, Microsoft and Fortra conducted an in-depth investigation analysis that included:-

  • Detection
  • Analysis
  • Telemetry
  • Reverse engineering
  • Additional data and insights

By disrupting the usage of pirated legacy copies of Cobalt Strike, the criminal’s ability to monetize and employ these illegal versions for cyber attacks will be substantially restricted.

As a result, this move will force criminals to re-examine their tactics and seek new alternatives.

Ransomware Gangs and Hackers Actively Exploit Cobalt Strike

Cobalt Strike was initially introduced as a legitimate commercial penetration testing tool. This tool is mainly released for red teams to assess the security of organizational infrastructure for vulnerabilities. 

While it was launched over a decade ago in 2012 by Fortra, formerly Help Systems. Despite the developer’s diligent customer screening and strict licensing policy, the threat actors have acquired and distributed the software’s cracked copies.

The threat actors use this in their post-exploitation operations once beacons have been deployed.

To harvest sensitive data or drop additional malicious payloads through compromised devices, these beacons are used by the threat actors, and they even enable them with persistent remote access to compromised devices.

Apart from the globe, the following countries have been detected by Microsoft as hosting malicious infrastructure for Cobalt Strike:-

  • China
  • The United States
  • Russia

It has not yet been determined who is behind all these criminal activities; in short, their identity remains a mystery.

Moreover, hackers and threat actors affiliated with state-supported organizations and hacker groups have been observed using cracked versions of Cobalt Strike at the behest of foreign governments such as:-

  • Russia
  • China
  • Vietnam
  • Iran

More than 68 ransomware attacks on healthcare institutions across 19 countries globally have been conducted, and these attacks are connected with the use of cracked versions of Cobalt Strike.

There are many things that Microsoft, Fortra, and Health-ISAC are actively doing to improve the security of their ecosystem, as they are committed to providing such security services.

As a result, they affirmed that in this case, they will also collab with the following security bodies:-

  • FBI Cyber Division
  • National Cyber Investigative Joint Task Force (NCIJTF)
  • Europol’s European Cybercrime Centre (EC3)

Why do Organizations need Unified endpoint managementFree E-books & Whitepapers

Related Read:

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.