Stopping cybercriminals from abusing security tools

Image of the globe with certain areas highlighted
Microsoft data showing the global spread of computers infected by cracked copies of Cobalt Strike.

Microsoft’s Digital Crimes Unit (DCU), cybersecurity software company Fortra™ and Health Information Sharing and Analysis Center (Health-ISAC) are taking technical and legal action to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software, which have been used by cybercriminals to distribute malware, including ransomware. This is a change in the way DCU has worked in the past – the scope is greater, and the operation is more complex. Instead of disrupting the command and control of a malware family, this time, we are working with Fortra to remove illegal, legacy copies of Cobalt Strike so they can no longer be used by cybercriminals.

We will need to be persistent as we work to take down the cracked, legacy copies of Cobalt Strike hosted around the world. This is an important action by Fortra to protect the legitimate use of its security tools. Microsoft is similarly committed to the legitimate use of its products and services. We also believe that Fortra choosing to partner with us for this action is recognition of DCU’s work fighting cybercrime over the last decade. Together, we are committed to going after the cybercriminal’s illegal distribution methods.

Cobalt Strike is a legitimate and popular post-exploitation tool used for adversary simulation provided by Fortra. Sometimes, older versions of the software have been abused and altered by criminals. These illegal copies are referred to as “cracked” and have been used to launch destructive attacks, such as those against the Government of Costa Rica and the Irish Health Service Executive. Microsoft software development kits and APIs are abused as part of the coding of the malware as well as the criminal malware distribution infrastructure to target and mislead victims.

The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world. These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments, just to name a few.

Disruption components and strategy

On March 31, 2023, the U.S. District Court for the Eastern District of New York issued a court order allowing Microsoft, Fortra, and Health-ISAC to disrupt the malicious infrastructure used by criminals to facilitate their attacks. Doing so enables us to notify relevant internet service providers (ISPs) and computer emergency readiness teams (CERTs) who assist in taking the infrastructure offline, effectively severing the connection between criminal operators and infected victim computers.

Fortra and Microsoft’s investigation efforts included detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen our legal case from a global network of partners, including Health-ISAC, the Fortra Cyber Intelligence Team, and Microsoft Threat Intelligence team data and insights. Our action focuses solely on disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software.

Microsoft is also expanding a legal method used successfully to disrupt malware and nation state operations to target the abuse of security tools used by a broad spectrum of cybercriminals. Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics. Today’s action also includes copyright claims against the malicious use of Microsoft and Fortra’s software code which are altered and abused for harm.

Abuse by cybercriminals

Fortra has taken considerable steps to prevent the misuse of its software, including stringent customer vetting practices. However, criminals are known to steal older versions of security software, including Cobalt Strike, creating cracked copies to gain backdoor access to machines and deploy malware. We have observed ransomware operators using cracked copies of Cobalt Strike and abused Microsoft software to deploy Conti, LockBit, and other ransomware as part of the ransomware as a service business model.

Threat actors use cracked copies of software to speed up their ransomware deployment on compromised networks. The below diagram shows an attack flow, highlighting contributing factors, including spear phishing and malicious spam emails to gain initial access, as well as the abuse of code stolen from companies like Microsoft and Fortra.

Example of an attack flow by threat actor DEV-0243.
Example of an attack flow by threat actor DEV-0243.

While the exact identities of those conducting the criminal operations are currently unknown, we have detected malicious infrastructure across the globe, including in China, the United States and Russia. In addition to financially motivated cybercriminals, we have observed threat actors acting in the interests of foreign governments, including from Russia, China, Vietnam and Iran, using cracked copies.

Continuing the fight against threat actors

Microsoft, Fortra and Health-ISAC remain relentless in our efforts to improve the security of the ecosystem, and we are collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF) and Europol’s European Cybercrime Centre (EC3) on this case. While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done. Through ongoing legal and technical action, Microsoft, Fortra and Health-ISAC, along with our partners, will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike.

Fortra devotes significant computing and human resources to combat the illegal use of its software and cracked copies of Cobalt Strike, helping customers determine if their software licenses have been compromised. Legitimate security practitioners who purchase Cobalt Strike licenses are vetted by Fortra and are required to comply with usage restrictions and export controls. Fortra actively works with social media and file sharing sites to remove cracked copies of Cobalt Strike when they appear on those web properties. As criminals have adapted their techniques, Fortra has adapted the security controls in the Cobalt Strike software to eliminate the methods used to crack older versions of Cobalt Strike.

As we have since 2008, Microsoft’s DCU will continue its efforts to stop the spread of malware by filing civil litigation to protect customers in the large number of countries around the world where these laws are in place. We will also continue to work with ISPs and CERTs to identify and remediate victims.

Tags: , , , ,