The U.S. District Court for the Eastern District of New York permits Microsoft to seize malicious Cobalt Strike infrastructure used in global malware and ransomware attacks.
The U.S. District Court for the Eastern District of New York has granted permission for the seizure of domain names used by threat actors to store and share malicious versions of Cobalt Strike.
This action follows legal and technical efforts by Microsoft, Health ISAC (Health Information Sharing and Analysis Center), and cybersecurity firm Fortra to prevent the abuse of Microsoft software and the Cobalt Strike exploitation tool.
It is worth noting that in 2019, Microsoft employed a similar approach to seize 50 domains utilized by North Korean hacker groups Thallium and APT37 for large-scale cyberattacks.
According to the lawsuit, cybercriminals are utilizing cracked, legacy copies of the post-exploitation tool and Microsoft software to distribute malware and ransomware.
Cobalt Strike, originally provided by Fortra for adversary simulation, is a legitimate post-exploitation tool. Despite Fortra’s efforts to prevent abuse, hackers continue to create cracked versions of older product versions and exploit them.
The recent court order enables these organizations to notify and seize IP addresses hosted in the United States that are hosting malicious versions of these tools. The domains will be taken down immediately, and the court order also allows for the ongoing seizure of such domains in the future, as cybercriminals are likely to develop new infrastructure.
Additionally, Microsoft will be notifying hosting providers in the European Union and Latin America to prevent the abuse of manipulated versions of Cobalt Strike by taking down host domains.
Microsoft has also stated that its APIs and SDKs have been abused by threat actors in the development and distribution of malware. Therefore, Fortra and Microsoft have obtained temporary restraining orders against the copyright violators of their programs to ensure that malicious versions are shut down and seized.
It is important to note that Cobalt Strike is frequently used in ransomware attacks, particularly those targeting the healthcare sector, which is why Health ISAC has been involved in the court proceedings.
Recently, the tool has been observed in at least 68 ransomware attacks against healthcare organizations in 19 countries. Profit-driven criminals also use malicious versions of Cobalt Strike to launch ransomware attacks, and state-sponsored actors linked with Russia, China, Vietnam, and Iran are also actively exploiting it.
The action against the abuse of Cobalt Strike and Microsoft software involves disrupting the attackers’ infrastructure, including hosting servers and domains. The court order was issued on March 31, and with the assistance of CERTs and ISPs, Microsoft and Fortra have successfully taken down attacker infrastructure and blocked cybercriminals’ access to compromised devices.
In their lawsuit, the companies have named sixteen John Does as the plaintiffs, without revealing their identities. The complaint has disclosed that these individuals are members of the Conti, LockBit, and BlackCat ransomware gangs, as well as the Evil Corp cybercrime group.
“Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics,” Microsoft’s Digital Crimes Unit GM, Amy Hogan-Burney stated.