Microsoft and Fortra crack down on malicious Cobalt Strike servers

Microsoft, Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) have announced a broad legal crackdown against servers hosting cracked copies of Cobalt Strike, one of the primary hacking tools used by cybercriminals. 

"We will need to be persistent as we work to take down the cracked, legacy copies of Cobalt Strike hosted around the world," said Amy Hogan-Burney, the head of Microsoft's Digital Crimes Unit (DCU).

"This is an important action by Fortra to protect the legitimate use of its security tools. Microsoft is similarly committed to the legitimate use of its products and services."

Last Friday, March 31, the U.S. District Court for the Eastern District of New York issued a court order allowing Microsoft and Fortra (the maker of Cobalt Strike) to seize the domain names and take down the IP addresses of servers hosting cracked versions of Cobalt Strike (Microsoft complaint and court order).

This will happen with the help of relevant computer emergency readiness teams (CERTs) and internet service providers (ISPs), with the end goal of taking the malicious infrastructure offline.

Takedowns linked to this action have already started earlier this week, on Tuesday, and the court order also allows the coalition to disrupt new infrastructure that the threat actors will use in future attacks.

"Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics," Hogan-Burney said.

"Today's action also includes copyright claims against the malicious use of Microsoft and Fortra's software code which are altered and abused for harm."

Used by ransomware gangs and state hackers

Fortra, formerly known as Help Systems, released Cobalt Strike more than a decade ago, in 2012, as a legitimate commercial penetration testing tool for red teams to scan organizational infrastructure for vulnerabilities. 

Although the developer carefully screens customers and only licenses for lawful use, malicious actors have obtained and distributed cracked copies of the software over time, leading to Cobalt Strike becoming one of the most widely used tools in cyberattacks involving data theft and ransomware. 

Threat actors use it for post-exploitation tasks after deploying beacons designed to provide them with persistent remote access to compromised devices to harvest sensitive data or drop additional malicious payloads.

​Microsoft has detected malicious infrastructure hosting Cobalt Strike across the globe, including in China, the United States, and Russia, although the identity of those behind the criminal operations remains unknown. 

The company has also observed multiple state-backed threat actors and hacking groups using cracked Cobalt Strike versions while acting on behalf of foreign governments, including Russia, China, Vietnam, and Iran.

"The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world," Hogan-Burney said.

"These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments, just to name a few."

In November 2022, the Google Cloud Threat Intelligence team also open-sourced 165 YARA rules and a collection of indicators of compromise (IOCs) to help network defenders detect Cobalt Strike components in their networks.